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(57) Abstract 



A non-deterministic public key encryption system whereby a public key is generated from a private key using mathematical operations 
equivalent to exponentiation in finite fields. Thus an attacker is required to compute logarithms over finite fields. Encryption involves 
generating a random initialisation key (R) which is used to (1) exponentiate the message receiver's public key (E) to produce initial values 
(K) for a pseudorandom binary mixture generator, and to (2) compute an open key (Q) by exponentiating an initial known generator slate 
(ao). A ciphertext (C) is produced from plaintext (P) by clocking the mixture generator from the initial value (K) and combining the output 
keystream with the plaintext (P). The open key (Q) is attached to the ciphertext prior to transmission. Decryption involves extracting the 
open key (Q) and exponentiating this by the message receiver's private key (D) to compute (K) which is then used to set the initial value 
of a mixture generator. The mixture generator is clocked and its output keystream combined with the ciphertext (C) to produce plaintext 
(P). The invention may be implemented in special purpose hardware or in software for a general purpose processor. 
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A NON-DETERMINISTIC PUBLIC KEY ENCRYPTION SYSTEM 

TECHNICAL FIELD 

This invention relates to cryptographic systems and more particularly but not solely 
to a method and means for realising a computationally secure public-key encryption 
5 system and digital signature (authentication) system. 
BACKGROUND ART 

Data security is an increasingly important aspect in the design of modern 
co mmuni cation systems. Encryption systems have been devised in an attempt to scramble 
or code a message so that to an observer (or "attacker"), the message being 
10 co mmuni cated appears nonsensical. Many encryption systems have utilised the idea of 
"keys" with which the message to be communicated is first encoded by the sender and 
then decoded by the receiver of the message. In this type of conventional encryption 
system there is the disadvantage that before a message can be decrypted by the intended 
recipient of the message, the sender of the message must first communicate, to the 
15 intended recipient, the decryption key. In addition, any change in the encryption key 
requires a corresponding change in the decryption key which must then be transmitted 
to the intended recipient. In the transmission or transportation of keys to the recipient 
there is always a danger than an observer or attacker will discover the key. 

Public-key encryption systems have been developed in order to overcome this 
20 problem of the necessity to exchange keys. This type of system was introduced by Diffie 
and Hellman in 1976 in which 6ach partitiparft in the communication system has two 
keys, a public key which is made publicly available to all participants in the 
co mmuni cation system and a private key which each participant keeps to himself. Each 
participant's private key is determined (either by choice or random selection) and from 
25 the private key the public key is generated. The public key can be thought of as the 
encryption key (E) while the private key may be thought of as the decryption key (D). 

In public key encryption systems, the mathematical relationship which exists 
between the keys is often a "one-way function." That is, it is arranged that the public key 
may be relatively easily generated from the private key, however, determining the private 
30 key from the public key is computationally inf easible (that is, given an enormous quantity 
of computational resources, determination of the private key could probably not be 
effected within a lifetime). 

In order for participant A to communicate a message M to a participant B in a 
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public-key encryption system, user A first obtains user B's public key from a publicly 
available register or file and uses it to encrypt the message M. The ciphertext C is the 
result of encrypting the message M and is transmitted to user B who then transforms the 
ciphertext C using his own private key to obtain the message M. 
5 To an observer or attacker wanting to discover the message M and who is aware 

of the public key and perhaps also has full knowledge of the cryptographic system, the 
private key (decryption key) must be determined from the known public key. As has 
been mentioned, the system relies upon the fact that this operation is extremely difficult 
to carry out Alternatively, the attacker may have nothing but the intercepted encrypted 
10 message and a limited knowledge of the statistical properties of the message language. 

An example of a public-key encryption system is disclosed in U.S. Patent No. 
4,405,829 to Rivest et al. The one-way function disclosed makes use of the fact that very 
large numbers are very hard to factorise. This system, however, has the disadvantage of 
requiring extensive multiplication of large (for example, 512-bit) integers, which is a very 
15 slow process. Another disadvantage of this system is that the encryption method used is 
completely deterministic, that is, if the same message is later sent to the same recipient, 
the identical ciphertext is produced, which can enable an attacker or eavesdropper to 
obtain significant information about message traffic being sent. A further disadvantage 
is that the system does not permit engineering trade-offs or compromises between speed 
and security, whereas it would be an advantage to be able to design a variety of types of 
cryptographic systems such as orie with extremely high speed and moderate security, or 
one with moderately high speed and extremely high security. Yet another disadvantage 
is that the system is cumbersome to implement using very fast special purpose electronic 
devices as opposed to general-purpose digital computers. 

Another desirable property of a secure communication system is the ability to 
conclusively prove that the participant indicated as being the originator of a message is 
the actual originator of the message. This is the so-called signature and authentication 
problem. 

A prior example of a proposed public-key distribution system is disclosed in U.S. 
Patent No. 4,200,770 to Hellman et al. However, the proposed system is a "key exchange" 
system rather than a true public-key encryption system. Hellman and Diffie also 
proposed a digital signature scheme in the paper "Privacy and Authentication: An 
Introduction to Cryptography," published in the Proceedings of the IEEE on page 401 of 
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Volume 67, Number 3 of March 1979. In the signature system disclosed therein a 
participant A who wishes to send a message M to participant B first encrypts the message 
text M with his own private key, then encrypts this result with user B's public key to 
produce the ciphertext C which is transmitted to user B. User B then utilises his private 
5 key to transform the ciphertext to a form whereby a further transformation by user A's 
public key will produce the message text M. It can be seen that if the message is 
reproduced after this series of steps then the message must have come from user A. 

One disadvantage of this system is that the encryption process must be performed 
twice by both the sender and receiver, adversely affecting the speed of the process. 

10 Another disadvantage is that it is necessary, in order to decrypt a message, to know the 
sender's public key, implying a heavy demand for access to the public key file. A further 
disadvantage is that the problem of managing the public key file is complicated by the 
possible need to retain and identify old public keys even after they may have been 
superseded. Yet another disadvantage is that the public key file is required to play a part 

15 in both privacy and authentication, whereas it would be an advantage to be able to 
separately manage information needed to accomplish these quite different functions. 
DISCLOSURE OF INVENTION 

It is, therefore, an object of the present invention to provide a complete public-key 
encryption system which will go some way towards overcoming the above disadvantages 

20 or which will at least provide industry with a useful choice. 

Accordingly, in one aspect the invention Consists in a public-key encryption system 
wherein a message sender encrypts a plaintext message using a publicly known key unique 
to a message receiver and the message receiver decrypts the encrypted message using a 
secret private key from which the public key has been derived, characterised in that: 

25 (1) a private key (D) is selected which comprises a plurality of binary numbers 

^1 ton> 

(2) a public key (E) is exponentiated using the private key by, for each of the 
said numbers D t to n , calculating the state of a pseudo-random binary number generator 
from a given initial state after a number of clock pulses or state transitions equal to the 

30 corresponding number given by the private key D x to n and providing each of the 
calculated binary states Ej t0 n as a component of the public key E; 

(3) the message sender 

(a) selects a random initialisation key (R) comprising a set of binary 
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numbers R lton and exponentiates the initial state using each number by, for each of the 
numbers R x to n , calculating the state of a pseudo-random binary number generator from 
a given initial state after a number of clock pulses or state transitions equal to the 
corresponding number given by the Random Initialisation Key R lto n and providing each 
5 of the calculated binary states Q x to n as a component of an open key Q, 

(b) exponentiates the components of the public key E by the components 
of the random initialisation key R to produce generator initialisation states K x ton by, for 
each of the said numbers E x to n and R t to n , calculating the state of a pseudo-random 
binary number generator that would result from applying the process defined in step (2) 

10 a number of times equal to the corresponding binary number Rj to n , 

(c) loads a set (n) of pseudo-random binary number generators, the outputs 
of which are combined to form a mixture generator, with initial values K x to n , 

(d) clocks the mixture generator to obtain a keystream serial output and 
combines this output with the binary plaintext message to produce an encrypted bit 

15 stream, - 

(e) transmits the encrypted bit stream together with the open key Q to the 
message receiver; 

(4) the message receiver 

(a) extracts the open key Q from the encrypted bit stream, 
20 (b) exponentiates the open key Q by the private key D to derive generator 

initialisation states K ltOQ by, for 'each of the satd numbers Q x to n and D 1 to n , calculating 
the state of a pseudo-random binary number generator that would result from applying 
the process defined in step (3)(a) a number of times equal to the corresponding binary 
number D x ton , 

25 (c) loads a second set (n) of pseudo-random binary number generators, the 

outputs of which are combined to form a mixture generator, with the generator 
initialisation states K x to n , 

(d) clocks the mixture generator to obtain a keystream serial output and 
combines this output with the received encrypted bit stream to produce the sender's 
30 plaintext message. 

In a second aspect the invention consists in encryption apparatus for a public key 
encryption system in which a private key (D) is selected which comprises a plurality of 
binary numbers T> x to n and a public key (E) is exponentiated using the private key by, for 
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each of the said numbers D x ton , calculating the state of a pseudo-random binary number 
generator from a given initial state after a number of clock pulses or state transitions 
equal to the corresponding number given by the private key D x to n , and providing each 
of the calculated binary states E x t0 n as a component of the public key E, said apparatus 
5 comprising: 

means for generating a random initialisation key (R) comprising a set of binary 
numbers R lton ; 

means for exponentiating the initial state using each number by, for each of the 
said numbers K x to n , calculating the state of a pseudo-random binary number generator 

10 from a given initial state after a number of clock pulses or state transitions equal to the 
corresponding number given by the random initialisation key R x ton and providing each 
of the calculated binary states Q x to n as a component of an open key Q; 

means for exponentiating the components of the public key E by the components 
of the random initialisation key R to produce generator initialisation states K x to n by, for 

15 each of the said numbers Ej to n and R x to n , calculating the state of a pseudo-random 
binary number generator that would result from applying the process used to 
exponentiate public key (E) a number of times equal to the corresponding binary number 

^1 to n! 

a mixture generator comprising a set (n) of pseudo-random binary number 
20 generators, the outputs of which are combined to form the output of the mixture 
generator; 4 * 

means which load said set (n) of pseudo-random binary number generators with 
initial values equal to K x to n ; 

means which clock the mixture generator to obtain a keystream serial output; 
25 means which receive a plaintext message and combine the output of the mixture 

generator with the binary plaintext message to produce an encrypted bit stream; 

and means for transmitting the encrypted bit stream together with the open key 
Q to the message receiver. 

In a third aspect the invention consists in decryption apparatus for a public-key 
30 encryption system in which a private key (D) is selected which comprises a plurality of 
binary numbers D x ton and a public key (E) is exponentiated using the private key by, for 
each of the said numbers T> x ton , calculating the state of a pseudo-random binary number 
generator from a given initial state after a number of clock pulses or state transitions 
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equal to the corresponding number given by the private key D lton , and providing each 
of the calculated binary states E x ton as a component of the public key E, and wherein a 
plaintext message is encrypted according to a process whereby the message sender 

(1) selects a random initialisation key (R) comprising a set of binary numbers 
5 Ri to o exponentiates the initial state using each number by for each of the said 
numbers R 2 to n , calculating the state of a pseudo-random binary number generator from 
a given initial state after a number of clock pulses or state transitions equal to the 
corresponding number given by the random initialisation key K x to n and providing each 
of the calculated binary states Q x to n as a component of an open key Q; 

10 (2) exponentiates the components of the public key E by the components of the 

random initialisation key R to produce generator initialisation states K x to n by, for each 
of the said numbers E 2 to n and R x to n , calculating the state of a pseudo-random binary 
number generator that would result from applying the process previously defined, wherein 
a private key is used to exponentiate a public key, a number of times equal to the 

1 5 corresponding binary number R t to n ; 

(3) loads a set (n) of pseudo-random binary number generators, the outputs of 
which are combined to form a mixture generator, with initial values K t to n ; 

(4) clocks the mixture generator to obtain a keystream serial output and combines 
this output with the binary plaintext message to produce an encrypted bit stream; 

20 (5) transmits the encrypted bit stream together with the open key Q to the 

message receiver, 4 ' 

said decryption apparatus comprising: 

means for extracting the open key Q from the encrypted bit stream; 

means for exponentiating open key Q by the private key D to derive generator 
25 initialisation states K lton by, for each of the said numbers Q t to n and Dj to a , calculating 
the state of a pseudo-random binary number generator that would result from applying 
the process defined above for deriving the open key (Q) a number of times equal to the 
corresponding binary number D x to n ; 

a set (n) of pseudo-random binary number generators, the outputs of which are 
30 combined to form a mixture generator; 

means which load said set (n) of pseudo-random binary number generators with 
initial values equal to K 2 to n ; 

means for clocking the mixture generator to obtain a keystream serial output; 
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and means for combining this output with the received encrypted bit stream to 
produce the plaintext message- 
In a fourth aspect the invention consists in a public-key authentication system 
wherein a message sender appends signature information to a message and registers 
5 corresponding authentication information together with his name in a signature archive 
that is open to public inspection and wherein a message verifier obtains the message and 
its signature information, and the authentication information from the public signature 
archive and uses these to confirm whether or not the message has been sent by the 
sender identified by said signature information, characterised in that: 
10 (1) the message sender 

(a) selects a random digital signature (S) consisting of a plurality of binary 
numbers S lton ; 

(b) exponentiates a verification key V by, for each of said numbers S, to n , 
by calculating the state of a pseudo-random binary number generator from a given initial 

15 state after a number of clock pulses or state transitions equal to the corresponding 
number given by the random digital signature S t ton and providing each of the calculated 
binary states V 2 to n as a component of the verification key V; 

(c) checks said signature archive to ensure that the verification key V 
computed in (b) has not yet been registered and if V has previously been registered 

20 repeats steps (a) and (b); 

(d) computes a generalised cyclic tedundancy check (CRC) value C by, for 
each one of a set (n) of pseudo-random binary number generators, computing the 
remainder resulting from dividing the sequence of bits comprising the message being sent 
by a modulus corresponding to said pseudo-random binary number generator and 

25 providing each such remainder Q to n as a component of the generalised CRC value C; 

(e) computes the sum C + S (modulo 2) and registers this stun and the 
verification key V under his name in the public signature archive; 

(f) appends S to the message being sent, and 
(2) the message verifier 

30 (a) extracts the digital signature (S) consisting of a plurality of binary 

numbers S 2 to n from the message; 

(b) computes a generalised cyclic redundancy check (CRC) value C by, for 
each of the said numbers S x to n , computing the remainder resulting from dividing the 
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sequence of bits comprising the received message by a modulus corresponding to a 
pseudo-random binary number generator and providing each such remainder Q to n as a 
component of the generalised CRC value C; 

(c) computes a verification key V by, for each of said numbers S x to n , 
5 exponentiating a given initial state of the corresponding pseudo-random binary number 

generator using each said number S t ton by means of the process defined in step (l)(b); 

(d) computes the stun C + S (modulo 2); 

(e) searches the public signature archive under the name of the sender 
identified by said signature information of the message for authentication information 

10 matching the values C + S (modulo 2) and V computed in (c) and (d); 

(f) validates the message as authentic if the search in (e) is successful, or 
rejects it as spurious if the search in (e) is unsuccessful. 

In a fifth aspect the invention consists in a public-key authentication system 
wherein a message authenticator selects a private key D which comprises a plurality of 

1 5 binary numbers D x to n and exponentiates a public key E using the private key by, for each 
of the said numbers D x to n , calculating the state of a pseudo-random binary number 
generator from a given initial state after a number of clock pulses or state transitions 
equal to the corresponding number given by the private key Dj to n and providing each 
of the calculated binary states E 1 to n as a component of the public key E, and makes E 

20 available for public inspection, and wherein a message sender registers unique 
authentication information with' said message* authenticator and appends signature 
information to a message, and wherein a message verifier obtains the message, calculates 
a generalised CRC value for the message, submits the message signature information, the 
generalised CRC value and the sender's name or other identifying information to the 

25 message authenticator, and wherein said message authenticator uses said generalised 
CRC value, said message signature information and said registered authentication 
information to confirm whether or not the message has been sent by the sender identified 
by said authentication information, characterised in that: 
(1) the message sender 

30 (a) selects an authentication password (P) consisting of a plurality of binary 

numbers; 

(b) requests said signature authenticator to register the authentication 
password P to correspond to his name or other identifying information and to confirm 
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that P has not yet been registered by anyone and if informed that P has previously been 
registered repeats step (a); 

(c) computes a generalised cyclic redundancy check (CRC) value C M by, 
for each one of a set (n) of pseudo-random binary number generators, computing the 

5 remainder resulting from dividing the sequence of bits comprising the message being sent 
by a modulus corresponding to said pseudo-random binary number generator and 
providing each such remainder Q ton as a component of the generalised QIC value C M ; 

(d) computes intermediate signature information by appending the 
generalised CRC value C M to the authentication password P; 

10 (e) computes message signature information S PfM by encrypting the 

intermediate signature information computed in step (d) using the signature 
authenticated public key E by 

(i) selecting a random initialisation key (R) comprising a set of 
binary numbers R x ton and exponentiating the initial state using each number by, for each 

15 of the said numbers R t to n , calculating the state of pseudo-random binary number 
generator from a given initial state after a number of clock pulses or state transitions 
given by the random initialisation key R 2 to n and providing each of the calculated binary 
states Qj to n to produce an open key Q, 

(ii) exponentiating the components of the signature authenticator's 
20 public key E by the components of the random initialisation key R to produce generator 

initialisation states K lton by, for 'each of the safd numbers B lton and R x to n , calculating 
the state of a pseudo-random binary number generator that would result from applying 
the process previously defined, wherein a private key is used to exponentiate a public key, 
a number of times equal to the corresponding binary number R x to n , 

25 (iii) loading a set (n) of pseudo-random binary number generators, 

the outputs of which are combined to form a mixture generator, with initial values K t to n , 
(iv) clocking the mixture generator to obtain a keystream serial 
output and combining this output with said intermediate signature information to produce 
encrypted intermediate signature information, 

30 (v) appending said encrypted intermediate signature information to 

said open key Q to produce message signature information S PfM . 

(f) appending the said message signature information S P>M to the message 
and also appending his name or other identifying information to the message, 
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(2) the message verifier 

(a) extracts the message signature information (S PfM ) and the sender's name 
or other identifying information from the message; 

(b) computes a generalised CRC value Cy for the message by means of the 

5 process defined in step (l)(c); 

(c) submits the said message signature information and the sender's name 

or other identifying information and the said generalised CRC value Cy to the signature 

authenticator and requests said signature authenticator to compare the authentication 
password P and generalised CRC value C M encrypted within the message signature 

10 information S FM with c* u and the sender's name or other identifying information, and 

(3) the message authenticator 

(a) decrypts the message signature information S PfM using its private key D 

by 

(i) extracting the open key Q from the message signature 

15 information, 

(ii) exponentiating the open key Q by the private key D to derive 
generator initialisation states K x to n by, for each of the said numbers Q x to n and D x to n , 
calculating the state of a pseudo-random binary number generator that would result from 
applying the process defined in step (l)(e){i) a number of times equal to the 

20 corresponding binary number D x to n , 

(iii) loading a second set (n) of pseudo-random binary number 
generators, the outputs of which are combined to form a mixture generator, with the 
generator initialisation states Kj to n , 

(iv) clocking the mixture generator to obtain a keystream serial 
25 output and combining this output with the message signature information to thereby 

recover the intermediate signature information P and C computed in step (l)(d); 

(b) compares the value of P contained in said intermediate signature 
information with the authentication password registered as corresponding to the name 
or other identifying information submitted in step (2)(c); 

30 (c) compares the value of contained in said intermediate signature 

information with the value of cL submitted in step (2)(c); 
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(d) confirms to the message verifier that the message is authentic if both 
of the comparisons in steps (c) and (d) are successful, or rejects it as spurious if either 
comparison fails. 

In a sixth aspect the invention consists in a method for generating random 
5 numbers comprising the steps of: 

(1) a user manipulating an input device whose state at any time t can be 
described as a point Xt represented by a plurality of coordinates (Xu, X^, ...X^; 

(2) measuring the points describing the states of said input device at a 
plurality of time instants t = 1, 2, n; 

10 (3) selecting a subset of the points thus measured corresponding to a subset of 

said time instants; 

(4) computing a numerical function of the coordinates of all the points thus 
selected; 

(5) obtaining the desired random numbers as the plurality of binary digits 
15 which represent the value of the numerical function thus computed. 

In a seventh aspect the invention consists in a method of combining a serial 
keystream output with binary information P, comprising a succession of parts P x , P N 
in which each part Pi represents a number of bytes i^, to produce an encrypted bit stream 
C comprising a succession of parts Q, said method comprising the steps of, for each 
20 successive part P s : 

(1) generating a pseudorandom penhutation T of the bytes 1, U| using a 
plurality of bytes of the serial keystream output; 

(2) permuting the relative positions of the bytes ^ within the part P { according 
to the permutation T to form an intermediate part Ij; 

25 (3) forming the i-th part Q of the encrypted bit stream by for each byte B of 

the intermediate part 1^ 

(a) generating one or more bytes of the serial keystream output; and 

(b) replacing the byte B with a quantity that depends upon the byte B 
and the said generated byte or bytes of the serial keystream output. 

30 In an eighth aspect the invention consists in a method of combining a serial 

keystream output with an encrypted bit stream C comprising a succession of parts Q, 
C N , in which each part Q consists of a number of bytes x^, to recover binary information 
P containing by a succession of parts P if said method comprising the steps of for each 
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successive part Q: 

(1) generating a pseudorandom permutation T of the numbers 1, ... using a 
plurality of bytes of the serial keystream output; 

(2) forming an intermediate part Ij by for each byte B of the part Q 

5 ( a ) generating one or more bytes of the serial keystream output; and 

(b) replacing the byte B with a quantity that depends upon the byte B 
and the said generated byte or bytes of the serial keystream output; and 

(3) permuting the relative positions of the bytes within the intermediate part 
Ij according to the permutation T to form the i-th part Pj of said binary information. 

10 BRIEF DESCRIPTION OF DRAWINGS 

Figure 1 is a diagrammatic representation of a mixture generator with MLSRG 
component generators which could be utilised to implement the present invention, 

Figure 2 is a diagrammatic representation of a preferred implementation of the 
mixture generator of Figure 1, namely a Geffe-type generator, and 
15 Figure 3 is a diagrammatic representation of an example configuration of shift 

registers shown in Figure 2. 

Figure 4 is a block diagram of a hardware realisation of an encrypter, and 
Figure 5 is a block diagram of a hardware realisation of a decrypter. 

20 BEST MODES FOR CARRYING OUT THE INVENTION 

This description discloses a preferred embodifnent of the present invention and also 
mentions several variations. The discussion in this document is from the viewpoint of 
implementation of the invention in software on a digital computer, but it should be noted 
that it is possible to implement all, or part, of the entire system using special purpose 

25 electronic hardware components. Such components include, but are not restricted to, 
logic elements such as LSI memories, shift registers, field-programmable gate arrays 
(FPGAs) and discrete logic. 
1* Classification of the Present Invention 

One way of classifying public-key cryptosystems, sometimes referred to as 

30 asymmetric-key systems, is according to the type of one-way function that relates private- 
key/public-key pairs, and more specifically according to the mathematical problem whose 
solution is required in order to invert the one-way function (i.e., to infer a private key 
from its public key). Three such problems account for virtually all public-key systems 
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proposed to date: prime factorisation, discrete logarithms, and knapsacks. For example, 
the best-known public-key algorithm, RSA, is based on the difficulty of prime 
factorisation of large integers. Diffie-Hellman, which is a public key distribution system 
rather than a true public-key cryptosystem, is based on the discrete logarithm problem, 
5 as is the ElGamal public-key cryptosystem. 

In mathematical terms, the present system is based upon the discrete logarithm 
problem. This means that in this system a public key is calculated from a private key 
using operations mathematically equivalent to exponentiation in finite fields. 
Consequently, breaking the system in the sense of computing a private key from its public 

10 key requires an attacker to compute logarithms over finite fields. For reasons of 
computational efficiency, simplicity and speed, as well as security, the finite fields 
underlying the present system are the Galois fields GF[2 P ], where in addition p is selected 
so that 2 P - 1 is a large prime (a "Mersenne H prime). As will be seen, the system involves 
exponentiation over more than one such field. 

15 Another way of classifying cryptographic systems pertains to whether they are 

deterministic or non-deterministic. The first mention of non-deterministic cryptosystems 
is believed to be due to Carl Nicolai. Although the notion can be stated more or less 
precisely in a number of ways, one of the properties of a non-deterministic cryptosystem 
is that even if the same key is used to encrypt a given plaintext on more than one 

20 occasion, the resulting ciphertexts will differ in a non-systematic way, ideally in a truly 
random fashion. The present system is a non-Heterministic cryptosystem. 

In transforming plaintext into ciphertext, a cryptosystem may may increase or 
decrease the length of the original plaintext, or may leave it unchanged. The present 
system produces a ciphertext that is exactly the same length as the plaintext, except that 

25 it prefixes the ciphertext with a short header block. The length of this header block 
depends upon the parameters chosen for a particular implementation, but will typically 
be between 64 and 256 bytes. Its format is not critical. 
2. Mixture Generators 

The central component of the invention is a pseudorandom binary keystream 

30 generator of a new type referred to here as a mixture generator, by analogy with the 
concept, taken from probability theory, of a mixture of independent and identically 
distributed random variables. A mixture generator consists of a single pseudorandom 
binary generator, such as a maximal-period linear shift register generator (MLSRG) or 
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a maximal-period multiplicative congraential generator (MCG), whose outputs or states 
are used to successively select, in a memoryless fashion, one member of a set of other 
component pseudorandom binaiy generators. Figure 1 shows a mixture generator where 
the mixer generator G m is a maximal-period linear shift register whose last three stages 
5 at time T are used to select one of 8 other MLSRGs (G 0 , ... , G { , G 7 ) whose output 
is to be used at time T. The clock rate of the mixer generator G m can be taken as three 
times the clock rate of the component generators Gj. A simpler example, shown in 
Figure 2, is a special case of this and is known as a Geffe generator. In Figure 2, the last 
stage of the mixer generator G m selects the output of the top generator G t if the mixer 
10 output at time T is a 1, or the output of the bottom generator G b if the mixer output at 
time T is a 0. More specifically, a concrete instance of this configuration is the case in 
which the mixer generator has 89 stages with (primitive) generator trinomial l+x 38 ** 89 , 
the top generator has 127 stages with (primitive) generator trinomial 1 +x 30 +x lZ7 , and the 
bottom generator has 521 stages with (primitive) generator trinomial l+x 168 ** 521 . A 
15 smaller (and less secure) instance is one in which the three generators correspond to the 
respective trinomials I+jc^+jc 87 , l+jt 38 ** 89 , and l+x^+x 127 . When using MLSRGs as 
component generators, it is essential to use generators with the mathematical property 
that their generator polynomials are primitive polynomials. In addition, such generators 
may have the property that they have a prime number of stages, so that the lengths of 
20 their periods are Mersenne primes. 

Throughout the balance of this documedt, the symbol p(x) is used to denote the 
generator polynomial corresponding to a MLSRG. 

A mixture generator, as defined here, need not necessarily be restricted to 
component generators consisting of MLSRG or MCG components. Instead, the 
25 components, including the mixer, might well be mixture generators themselves, or 
nonlinear generators of other types with desirable statistical or cryptographic properties. 

Mixture generators can be implemented in very fast special-purpose hardware, 
either using discrete logic or custom integrated circuits, or simulated in software on a 
general-purpose computer. 
30 Since it is a finite-state device, starting from any particular state of its mixer and 

other component generators a mixture generator can be used to generate a periodic 
binary sequence (i.e., a sequence of zeroes and ones that will eventually repeat). The 
state of the generator is described by a collection of binary values specifying the state of 
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each stage of each of its components. 

The advantages of mixer generator configurations are that their periods are very 
long, their complexity is very high, their distribution of zeroes and ones is well-balanced, 
and successive outputs are substantially uncorrelated. Their outputs also have excellent 
5 statistical properties in terms of their n-tuple distribution and runs statistics. Some of 
these properties can be demonstrated mathematically, while others have been verified 
statistically (for example, using chi-square and runs tests). 

Any periodic binary sequence is capable of being generated by some MLSRG, and 
one of the critical factors in assessing the suitability of a sequence for cryptographic 
10 purposes is the length of the shortest linear feedback shift register required to generate 
the sequence. A strong advantage of mixture generator configurations is that it is often 
easy to precisely characterise this length as a function of the mixer and component 
generator lengths, and that the length, which is a good measure of the complexity of the 
generator and consequently its usefulness for some cryptographic purposes, is very high. 
15 The way in which mixture generators are used in the encryption system of the 

present invention will be described in terms of the Geffe-type mixture generator shown 
in Figure 2. We denote the numbers of stages in the MLSRGs forming the mixer, top 
and bottom generators by and i^, and the initial states (at time T=0) of the 

respective generators by a^ a^ and a^ respectively. We assume now for convenience 
20 that each of these initial states is fixed and publicly known. A variation of the invention 
consists of using the initial statek as part of a key known only to a particular group of 
users in order to permit secure and authenticated transmission of messages among 
members of this group. 

File encryption on personal computers using this type of mixture generator with 
25 ^ = 87, = 89 and r^ = 127 produces an extremely rapid system with a moderate 
security level. A much more secure system, still possible on a PC, results from the choice 
= 89, r^ = 127 and = 521. The latter three all give rise to Mersenne primes. 
It is possible to show mathematically that the period (i.e., the number of clock 
cycles after which the generator output repeats itself) of a Geffe-type generator is the 

30 product of the periods of the component generators: (2""-l)(2" i -l)<2**-l) • Its 
complexity, as measured by the number of stages in the shortest equivalent linear shift 
register generator which is able to produce the same output sequence, may be calculated 
by n^ + (1 + 10%. More complex mixture generators can also be analysed, with 
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analogous results. 

3. Using a Mixture Generator to Implement a One-Way Function 

The very long binary sequence generated by a mixture generator has a number of 
useful properties. It is possible to actually run or "clock" the generator to obtain its 
5 output stream and its sequence of internal states. Since the generator's period is so long, 
it is not possible to generate more than a tiny segment of the entire output stream in any 
reasonable period of time no matter how fast the generator can be clocked; even for the 
smaller of the example generators mentioned above, the period length is on the order of 

2 303 

10 It is possible to use the mixture generator to rapidly and efficiently "calculate" 

what its final internal state would be if its individual components were clocked any given 
numbers of times, no matter how huge, starting from a known starting state. 

It is, however, not computationally feasible to answer the inverse question. That 
is, given known final states for each component, it is extremely difficult to determine the 

15 numbers of times each of them would need to be clocked in order to reach such final 
states from known starting states. Answering this question is tantamount to solving a so- 
called "discrete logarithm" problem. The best known algorithm for solving such problems 
is the one due to D. Coppersmith, which is highly efficient. The time required to execute 
it on any conceivable computer can be estimated quite accurately. While it is practical 

20 to carry out the necessary calculations in a modest length of time on very fast computers 
in the case when the longest component generator is of length 127, this is not the case 
when the longest component generator length is above 500 or so. Solving such problems 
will remain computationally infeasible even under the most optimistic predictions 
concerning available computing power. Moreover, the difficulty of obtaining solutions 

25 can be accurately engineered by selecting generator lengths appropriately. Mixture 
generators incorporating components with lengths considerably higher than 500 are still 
efficient and practical to implement. 

4. Private and Public Keys 

In the present system, a private key is equivalent to a set of (binary) numbers 
30 which specify arbitrary numbers of times the components of the mixer generator are to 
be imagined to be clocked. These can be interpreted as "distances" (measured in units 
of clock ticks) within the periodic output stream of each component 

The public key corresponding to a private key is the final state of the mixture 
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generator that would result if each component were to be clocked a number of times 
given by the corresponding part of the private key. 

A major distinction exists between the pairs of private keys and public keys used 
in this system and those used in most other systems. In many other systems, the key pairs 
5 must be generated together automatically at the same time, according to specific 
requirements and limitations. In the RPK system, the selection of a private key is 
completely free and unrestricted. It may be selected arbitrarily by its user, if desired, rather 
than being assigned. This is not only a significant practical advantage, but also forms a 
major point of difference between the RPK system and other patented techniques. 
10 In the context of the illustrative Geffe generator, for purposes of selecting a private 

key a user A selects three numbers D m , D t and D b , where D m is in the range from 1 to 

2 nm - 1 , D t is in the range from 1 to 2"' - 1 and D b is in the range from 1 to 

2 n * - 1 . It should be noted that each of these ranges include the extreme values 

mentioned, although strictly speaking the high end of the range (all ones in binary) 

15 should be excluded since it is equal to the period. The public key for user A will consist 
of the states E^ E t and Eb of the three component generators after D m , D t and D b clock 
cycles (shifts), respectively. For a mixture generator with, say, N component generators, 
the private and public keys will have N, rather than 3, such component states. 

Note that the number of bits required to form either a private or public key is 

20 11^ + rij + which is 303 in the case of the smaller Geffe configuration being used for 
an example and 737 for the larger one. One might wish to compare this with the 56 key 
bits employed in the widely-used DES conventional encryption algorithm. 

The following description of efficient methods for computing the public key from 
any given private key is included for completeness and to aid in an understanding of the 

25 invention but should be apparent to a practitioner skilled in the art. For reasons based 
on the mathematics underlying the methods, it is appropriate to refer to the process of 
determining a public key from a given private key as exponentiation. 

It should be obvious that a method is required for calculating the future state of 
a mixture generator, since in view of the extremely long period of such generators it is 

30 not possible to actually run them long enough to generate more than a tiny fraction of 
the number of states required. A highly compact and efficient method for calculating the 
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future state of a linear feedback shift (MLSRG) register generator exists and depends 
upon interpreting the contents of the stages of the register (that is, its state) as 
coefficients of a polynomial in one "indeterminate" x. Since the register has n stages, the 



5 Note that such polynomials are different from the "generator polynomial" p(x) mentioned 
earlier, which is of degree n. It is convenient to renumber the stages of the generator 
from zero to n-1, where stage 0 corresponds to the stage immediately following the 
middle generator tap, so that stage (n - 1) denotes the stage with the feedback tap in the 
middle of the generator. The final (output) stage of the generator will then be numbered 
10 (n - m - 1), where m as before denotes the exponent in the middle term of the "generator 
polynomial" p(x). 

Using this interpretation, it is possible to verify that the state resulting from 
clocking the generator once is equivalent to multiplying the polynomial representing its 
state by the polynomial consisting just of the single term jc. This is to be done with the 

15 understanding first of all that all the arithmetic on the coefficients is done modulo 2 (i.e., 
1 + 1 = 0, etc.), and second that the polynomial "product", if it is of degree n or higher, 
is understood to refer to the product modulo the generator polynomial p(x). This last 
statement means that any polynomial of degree n or higher is to be replaced by the 
remainder that would result after dividing it by p(x). Polynomial addition and 

20 multiplication and division follow the usual algebraic rules, except that in this case 
arithmetic on the coefficients is done modulo 2'(equivalent to XOR). 

Taking this idea of multiplying polynomials modulo p(x) one step further, if the 
initial generator state ao is taken to be the one with a single 1 in the zero-numbered 
stage, then the process of advancing the generator by a time D (or clocking it D times) 

25 is equivalent to computing the product 1*jc*x - jc, where the factor x appears D 
times. The resulting product can be denoted as jP- mod p(r). Using D as an exponent 
in this way suggests that an efficient method for computing jP- mod p(x) involves pre- 
computing and tabulating the (n - 1) polynomials representing the binary powers 



contents of the stages can represent the coefficients of the powers of x : ljc, xr, 



1, Xf X^ f X* , x^, 




, all modulo p(x), and then multiplying together 



30 (again, modulo p(x) each time) those corresponding to one bits in the binary 
representation of D. 
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This conceptual process of multiplying polynomials modulo p(x) can be 
accomplished in practice very simply and efficiently using the shift register itself. No 
elaborate actual multiplication is required. To see this, we observe that since clocking 
the generator once is equivalent to multiplying the polynomial corresponding to its 
5 contents by x, we can multiply by *r 9 say, by clocking the generator j times. Multiplying 
by an arbitrary polynomial is accomplished simply by saving the states corresponding to 
such intermediate "multiples" (for example, in registers) and adding corresponding 
coefficients modulo 2 (that is, XOR-ing). This procedure eliminates the need for a 
separate procedure for polynomial division in reducing products modulo p(r). Designing 
10 special-purpose circuitry or chips to accomplish the entire process very quickly is a 
straightforward matter, or it can be emulated easily in software if desired. 
5. Encryption 

As stated above, the private key D for user A consists of three numbers (D m , D t , 
D b ) while user A's public key E consists of the three numbers (E m , E v E,,) which are 
15 assumed to be publicly known, perhaps posted in a public directory file, and which 
represent the states of the corresponding generators at times D m , D t and D b starting from 
given and known initial states Zq = (a m0 , a^ a^,) at time zero. Equivalently, using D and 
E to denote times and states for a generic MLSRG, in polynomial notation we have E 
= jc° mod p(x), assuming that the initial state corresponds to the zero-degree polynomial 



It is preferable that any plaintext messagfe P to be encrypted has first undergone 
data compression. This is a well-known technique that is useful not only for reducing 
data transmission costs and/or storage space but which also decreases the redundancy of 
the underlying message. This increases the difficulty of successful cryptanalysis and also 

25 enhances the propagation of errors resulting either from transmission errors or from 
malicious modifications ("spoofing") of the ciphertext. 

In order to encrypt a plaintext message P, so that it can only be decrypted by user 
A (using A's private key) another user B first generates a random initialisation key R = 
(Rn,, Rt, R,,) that is to be used solely during the encryption of P. R is analogous to D in 

30 that it represents "exponents" for the component generators, and the three components 
of R must fall in the same ranges as those of D. User B next computes Q = (Q m , Q t , 
Q b ) from R in the same way that a public key E is computed from a private key D. That 
is, Q represents the states of the component generators at time R, starting from the initial 



20 1. 
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state a^. User B then includes Q in the ciphertext message header, to be transmitted or 
stored in the clear (that is, not encrypted) and which may also contain other information 
useful for communication purposes. For instance, a particular application might include 
addressing information, cyclic redundancy check (CRC) bytes or other error-correction 
5 data in the message header. 

To continue the actual encryption process, user B next loads the component 
generators with an initial state consisting of E (user A's public key) and then again uses 
the same random initialisation key R = (R^ Rt, Rt,) to compute a final state K = (K,,,, 
Kt, 1^) by "exponentiating" A's public key E, taking R as the exponent. In polynomial 

10 notation this can be written as Kj « mod p(x)> for j = m, t, b. User B does this 
"exponentiation" of A's public key using the mixture generator's component shift registers 
to compute products of binary powers e* (k - 0, 1, n - 1)> analogous to the way 
that a public key is computed from a private key. 

Note that user B has used both the random initialisation key R and user A's public 

15 key E in computing K, as well as publicly available knowledge of the initial state and 
the structure of the underlying mixture generator. The total computational effort has 
amounted only to the polynomial exponentiations required to advance the states of the 
component generators twice (that is, once to compute Q and once to compute K). The 
essential property of K for purposes of the present encryption system is that K describes 

20 the state resulting from advancing the generators first by D and then exponentiating this 
state by R (that is, the state that would be the result if the generator could be advanced 
by a time equal to R multiplied by D), despite the fact that user B has been able to 
compute K without knowing D. 

The state K is used as a final generator initialisation state with which to begin 

25 creating the ciphertext User B generates the body of the ciphertext C by using the 
keystream obtained by clocking (running) the mixture generator starting from the state 
K, operating with it and combining it with the plaintext bit stream P. This combining 
process must be invertible (that is, it must be possible to recover the plaintext P given K 
and C) and can be done in a variety of ways. 

30 Although the simplest imaginab le combining technique involves simply a bitwise 

XOR (exclusive-OR) between the plaintext and the keystream, this approach has serious 
cryptographic flaws when used by itself. 
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Many simple combining methods are possible. For instance, a block encryption 
system could be devised in which a fixed number L of keystream bits are combined with 
L plaintext bits by interpreting these two blocks of bits as integers in the range 0 to 2 L - 1 
and defining the corresponding ciphertext block to be their product This results in an 
5 encryption system somewhat analogous to the well-known El Gamal public-key 
cryptosystem. Unfortunately, it produces a ciphertext double the length of the plaintext. 

The preferred combining method in the present system is one that produces a 
quasi-block cipher. In classical cryptographic terminology, this part of the algorithm can 
be compared to a running-key cipher combined with a pseudorandom transposition 

10 cipher. The idea is to first create an intermediate ciphertext block by utilising a part of 
the keystream (Le., generator output) as a means for generating a pseudorandom 
permutation of the bytes (or even individual bits) of the plaintext block. One then 
combines the intermediate ciphertext block with a subsequent portion of the keystream, 
either on a bit-by-bit basis by XORing them together or on a byte-by-byte basis by 

15 performing substitution using a lookup table. This approach produces a ciphertext body 
whose length is the same as that of the plaintext. (Slightly different handling is required 
when the plaintext length is not an integral multiple of the block size, to accommodate 
the final partial block.) 

An obvious refinement involves cascading this combining process by alternately 

20 applying the above-mentioned pseudorandom transposition (Le., permutation) and 
substitution procedures more thah once. * 

The only performance penalty associated with the preferred combining method is 
to increase the quantity of generator output required. However, since mixture generators 
run very quickly this is unlikely to be a significant issue except in applications requiring 

25 extremely high encryption bit rates. Additionally, in order to achieve the maximum 
possible degree of security it may be advisable, although not essential, to restrict the 
maximum length of any plaintext enciphered with a single random initialisation key R. 
This is not a major restriction, since very long plaintexts can simply be broken into a 
sequence of segments of acceptable size. 

30 More complex ways of combining the keystream with the plaintext in order to 

achieve various objectives include variations on known techniques such as cipher block 
chaining. In one such variant, the plaintext is first broken into blocks of fixed size to 
which additional timing, authentication or error-correction information may be appended 
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or prefixed. Each plaintext block is first XORed with the previous ciphertext block 
before combining it with the next block of the keystream. 

When implementing the RPK system in software, it is useful to note that it is not 
difficult to clock the mixture generator 8 bits (or more) at a time, and the entire 
5 combining process can be accomplished accordingly. This can also be done in hardware 
without unacceptable complexity. 

In summary, then, the encrytion process involves the following steps, all of which 
are accomplished using the mixture generator and its components: 

Generate a random initialisation key R and use it to exponentiate the base state, 
10 thereby generating an open key Q which is included within a header, preceding the main 
body of the ciphertext. 

Use R again to exponentiate the public key E, thereby generating a final (internal) 
generator initialisation state K. 

Starting from the state K, run the mixture generator to obtain a keystream output 
15 and combine the keystream output with the plaintext P to obtain the main body of the 
ciphertext C. 

Note that since R is chosen randomly, even if the same plaintext were to be 
encrypted again using the same public key the second ciphertext would differ randomly 
from the first one, both in the open key Q and in the ciphertext body itself since the final 

20 (internal) generator initialisation states would differ. 
6. Combining Keystream with Plaintext 9 

A novel preferred combining method will now be described that incorporates a 
number of the advanced approaches alluded to above. In what follows, we shall assume 
that the plaintext is represented as a sequence of 8-bit bytes, and we shall use the term 

25 "current CRC value" to refer to the 32-bit CCITT cyclic redundancy check value 
corresponding to the portion of the plaintext starting at the beginning and continuing up 
to any particular byte position within it. It should however be understood that this term 
could equally well refer to another type of CRC or message digest computation or even 
to a generalised CRC of the type mentioned later in this document. We shall also assume 

30 that it is convenient to process the plaintext, for combining purposes, in moderately large 
"chunks" that are presented as the contents of a buffer. A typical such chunk size might 
be in the order of two to four thousand bytes. Finally, we shall use the term "stuttered 
keystream" to refer to the output of a mixture generator modified so that the clocking of 
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one or more of the component generators is made state-dependent. An easy way to do 
this is to sense the states of a particular set of generator stages and discard the generator 
output (that is, clock the generator an additional tick) if the states obey some criterion. 
For example, one can sense whether a particular set of four stages of a component 
5 contain all ones and clock this component an extra tick when this is so. It is well known 
that this procedure greatly increases the non-linearity, and hence complexity, of a 
keystream generator. 

The general combining process is then as follows. First, compute the current CRC 
value of the plaintext up through the end of the current chunk. Second, use a portion of 

10 the stuttered keystream to generate a pseudorandom permutation of the bytes in the 
current chunk and then XOR the permuted data with subsequent consecutive bytes of the 
stuttered keystream. Finally, clock the stuttered keystream a number of bytes which 
depends upon the current CRC value, discarding the bytes thus generated; the number 
of bytes to discard might be given by, for example, simply the numerical value of the low- 

15 order byte of the current CRC value. This final step ensures that the portion of the 
keystream used for combining with any chunk depends both on the initial generator states 
and on the entire plaintext prior to that chunk and can thus be viewed as a type of cipher 
block ch aining . It also ensures that any single-bit alteration or transmission error in the 
ciphertext causes a cascading of errors, averaging 50%, in subsequent chunks of decrypted 

20 text. 

The manner of pseudorandomly permutifig the data within a chunk can be varied 
as efficiency considerations may dictate. One economical approach involves viewing the 
chunk as a sequence of 256-byte blocks, possibly followed by a shorter end block if the 
chunk size is not a multiple of 256. As we shall demonstrate, we can then use 127 

25 stuttered keystream bytes to generate one pseudorandom swap table to be used for all 
the 256-byte blocks, and a smaller additional number of stuttered keystream bytes to 
generate one smaller pseudorandom swap table, if necessary, to be used for the shorter 
end block. For the case of 256-byte blocks, such a pseudorandom swap table provides a 
set of 128 pairings (i, j) of distinct integers in the range 0 to 255. To use the swap table, 

30 one simply exchanges the positions of bytes i and j within the block for each (i, j) in the 
table. A key feature of this method is that it is essentially self-inverting, that is, applying 
the identical permutation a second time restores the original byte ordering. It is 
interesting to note that the total possible number of such swap tables, when the block size 
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n is even, is given by: 

— ^ = (/M)(n-3)...(3)(1) 

2<* z >(nl2)l 



A particularly simple algorithm for generating a swap table of size n is concisely 

described by the following fragment written in the C programming language: 

5 typedef unsigned char BYTE; 

BYTE stut_clock8(void); 
#define MODULO % 
#define NOTJEQUAL ! = 

10 void MakeSwapTable(int n, BYTE * table) 

{ int index, remaining, i, k; 
BYTE temp; 

for (i = 0; i < n; i+ + ) 
15 tablep] - i; 

for (k = 0, remaining = n; remaining > 1; remaining = remaining - 2) 
{ 

index = k + 1 + ( stut_clock8( ) MODULO (remaining - 1) ); 
k = k + 1; 

20 if (index NOTJEQUAL k) 

{ 

temp = tablefindex]; 
table[index] = table [k]; 
table[k] = temp; 

k - k + 1; 

} 

} 

30 In the above code, the function stut_clock8( ) returns the next byte of the stuttered 

keystream. After it is executed, the table [] array will contain a sequence of consecutive 
pseudorandom pairs of the integers from 0 to n - 1. (If n happens to be odd, the last 
table entry will designate a byte position which is not to be swapped.) 

If a modest increase in computational overhead is acceptable, a somewhat more 

35 complex version of the above approach is possible in which a different pseudorandom 
swap table is used for each 256-byte block. In any case, it is worth emphasising here that 
the actual permutations applied are different for each encrypted message since a different 
(and randomly selected) portion of the keystream is used for each message. 

Finally, although it does not constitute a part of the combining method discussed 



WO 95/15633 



PCT7NZ94/00136 



-25- 

above, we point out here an additional feature of this approach that bears upon the issues 
of validation and authentication. Since a CRC value for the entire plaintext is available 
at the end of the encryption process, it is a relatively simple matter either to append this 
value to the plaintext and encrypt it as well, or to insert an encrypted version of it into 
5 the message header if desired. The resulting information can be used during decryption 
to detect whether the message has been altered during transmission. Summary measures 
other than the CRC or generalised CRC can be used here, and particular security 
requirements may suggest the use of alternatives such as the Rivest MD4 algorithm or 
the NIST Secure Hash Algorithm. 
10 The following is an example of the preferred combining technique, in which the 

chunk size is taken (for simplicity) to be only 4 bytes: 

Plaintext chunk: "ABCD" (whose hexadecimal representation is 41 42 43 44) 

Stuttered keystream output (hexadecimal): 37 04 FF BO 55 

Encryption: 

15 1. Calculate the CCITT CRC32 value for the plaintext chunk. This value turns out 
to be DB 17 20 A5 (hexadecimal representation). 

2. Generate a pseudorandom swap table using the first byte of the stuttered 
keystream (apply the procedure given by the C language fragment in the text): 

a) Initialise table to: 0 1 2 3. 
20 b) The first stuttered keystream byte 37, modulo 3, is 1, so permute the 

elements 1 and 2 in the table to produce a tablfe of 0 2 1 3. 

c) The resulting swap table contains the pairs (0, 2) and (1, 3). 

3. Permute the bytes ABCD by swapping the Oth and 2nd bytes, then the 1st and 3rd 
bytes, to produce CDAB, whose hexadecimal representation is 43 44 41 42. This is the 

25 permuted chunk. 

4. XOR the permuted chunk byte-by-byte with the succeeding stuttered keystream 
bytes: 43 XOR 04 = 47, 44 XOR FF = BB, 41 XOR B0 = Fl, 42 XOR 55 = 37, so the 
ciphertext consists of the sequence of bytes (in hexadecimal) 47 BB Fl 37. 

5. The last byte of the CCITT CRC32 value is A5, which is equal to 165 in decimal, 
30 so we would then generate and discard 165 bytes of the stuttered keystream before 

encrypting the next chunk. 
7. Decryption 

To decrypt the received ciphertext, user A first uses the state given by the open 
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key Q contained in the message header to compute the generator state corresponding to 
Q° 9 where the exponent is his private key D. This process of exponentiating Q by D is 
done using the same kind of process used to exponentiate E by R during encryption. We 
observe that the resulting generator state is K, since Q represents the generator state 
5 after a time R starting from the base state ao and the state after time R - D is just K, as 
noted earlier. In polynomial notation this fact can be expressed as 

E* = (x°)* « K = (x*) 0 « Q D . Note that this means that the recipient has been 

able to compute K without the need to know the random initialisation key R generated 
for encryption. User A can then run the mixture generator starting from the final 

10 initialisation state K (that is, clock it through successive states) to obtain the keystream 
bits needed to invert (that is, undo) the combining process performed during encryption. 
Since the mixture generator is started from the state K for both encryption and 
decryption, the keystream output will be identical in both cases. 

If the combining process used for encryption were to involve simply XORing the 

1 5 plaintext with the keystream, we note that XORing the resulting ciphertext with the same 
keystream again would recover the plaintext. For the preferred combining process 
described earlier, it is easy to invert the pseudorandom transposition and substitution 
operations in reverse order for each successive block to recover the ciphertext from the 
plaintext. 

20 The specific steps required for decryption, referring to the preferred combining 

process discussed earlier, are: 

1. Using the private key, exponentiate the open key Q contained in the ciphertext 
header to compute the final initialisation key K. The procedure for doing this is the 
same as the one used to exponentiate a public key by a random initialisation key during 

25 encryption. The state of the mixture generator will then be given by K 

2. For each block of the ciphertext body, run the mixture generator to obtain a part 
of the keystream output and use this to generate a pseudorandom permutation table. 

3. Then run the mixture generator to obtain additional keystream output and 
combine it with the ciphertext block, either bit-by-bit by XORing the two together or 

30 byte-by-byte using a lookup table, to generate an intermediate text block. This step 
inverts the substitution process performed during encryption. 

4. Apply the pseudorandom permutation defined by the permutation table created 
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earlier to the intermediate text block- This step inverts the transposition process 
performed during encryption and produces a block of the original plaintext. 

For the preferred combining method described earlier a slightly more complex 
process of inverting is necessary. The steps taken to initialise the generator are identical 
5 to those for the decryption of the simply combined ciphertext. However, the process of 
undoing the combination process involves, for each chunk, firstly the step of generating 
a representative pseudorandom permutation of a representative chunk corresponding to 
that needed to invert the permutation applied to the plaintext in the enciphering process, 
using the equivalent portion of the stuttered keystream. Secondly, XORing the current 

10 ciphertext chunk with the subsequent consecutive bytes of the stuttered keystream. This 
will produce a decrypted but pseudorandomly permuted version of the plaintext. Thirdly, 
the same permutation applied to the representative chunk is applied to the permuted 
version of the plaintext, to recover the plaintext. Lastly the current CRC value of the 
decrypted text, up to the end of the current chunk, is calculated, and the stuttered 

15 keystream is clocked a number of bytes dependent on the current CRC value. For the 
earlier example where the pseudorandom permutation was applied using a pseudorandom 
swap table to re-order the bytes of each 256 byte block of the chunk, the same swap table 
would be generated, before XORing the keystream with the ciphertext. Then the swap 
table, being self-inverting, would be used on the resulting deciphered but still permuted 

20 plaintext to recover the plaintext. 

The following is an example of the preferred separating technique, corresponding 
to the earlier example of the preferred combining technique: 
Decryption of the ciphertext 47 BB Fl 37: 

1. Assuming the correct decryption key (private key) is available, the sequence of 
25 stuttered keystream bytes will be identical to that used for encryption: 37 04 FF BO 55. 

2. Generate the pseudorandom swap table exactly as in the encryption process, using 
the first stuttered keystream byte. The table contains the pairs (0, 2) and (1, 3). 

3. Before swapping, XOR the ciphertext with the succeeding bytes of the stuttered 
keystream: 47 XOR 04 = 43, BB XOR FF = 44, Fl XOR B0 = 41, 37 XOR 55 = 42. 

30 The intermediate ciphertext is thus 43 44 41 42. 

4. Apply the swap table by swapping first the 0th and 2nd bytes of the intermediate 
ciphertext and then the 1st and 3rd bytes: 41 42 43 44. 

5. The result is 41 42 43 44, which is the hexadecimal representation of the ASCII 
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string "ABCD", the correctly deciphered plaintext. 

6. Calculate the CRC32 value for the plaintext up to this point As before, its last 
byte is A5, so as before we generate and discard the next 165 bytes of the stuttered 
keystream before decrypting the next chunk. 
5 8. Hardware Implementation 

Although the present system is easy to implement in software, one of its 
outstanding advantages is its ability to be implemented in very fast special-purpose 
hardware. Very large scale integrated circuit technology is progressing so rapidly that any 
specific implementation details are soon out of date. However, off-the-shelf components 

10 do exist that provide some insight into the relative ease or difficulty, and achievable 
speed, of such an implementation. For example, special-purpose chips for performing 
exponentiation over GF[2 n J do exit, such as the CA34C168 key management processor 
produced by Newbridge Microsystems, a Canadian company. It is a Tl incompatible 
CMOS device that operates at up to 16 MHz, and performs exponentiation over the field 

1 5 GFp 593 ]. This chip has a throughput of 300K bits/second. Despite the fact that this field 
is not necessarily ideal for the present system, these specifications give some idea of the 
rate at which public keys, open keys and final generator initialisation keys can be 
calculated. The same company produces the RBG 1210 random bit generator that 
produces a true random bit stream at 20 K bits/second. Such a device would be suitable 

20 for generating the random initialisation keys R required here. Very long shift registers 
and discrete logic gates capable 6f operating at'extremely high speeds are available off- 
the-shelf or can be easily integrated into custom chips or implemented as field- 
programmable gate arrays. 

Figure 4 shows a hardware implementation of an encrypter while Figure 5 shows 

25 a hardware implementation of the decrypter process, both of which perform in hardware 
the functions previously described. 
9. Signatures and Authentication 

A major and important variant of the preceding approach allows the recipient of 
an encrypted message (user A in our terminology) to confirm that the received and 

30 decrypted plaintext originated from a specific source (that is, user B) and is not "forged." 
The requirement is to be able to append to a message a "signature" with the property that 
anyone is able to compare the signature with publicly available information in order to 
verify its origin, but that no one else is able to duplicate the signature. This requirement 
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should be understood to also imply that it must not be possible to use signatures of 
previous messages to generate signatures for new or spurious messages. It is therefore 
essential that such a "digital signature" be message-dependent 

We remark here that an unstated assumption underlying any public-key encryption 
5 system is that the public file (containing the list of addressees and their public keys) must 
be secure against unauthorised modifications. If this were not the case, an intruder could 
replace someone else's public key with his own and thereby compromise the victim's 
security until the tampering was detected. The security of such public files against 
unauthorised tampering is usually provided by password systems or callback procedures, 

10 and sometimes by physical means. 

Here we assume that a secure public signature archive exists that can hold 
appropriate information registered by individuals who wish to "sign" communications, and 
that this archive is available to inspection by anyone, but secure against the threat of 
modification by anyone other than a legi timat e subscriber. We also assume that the 

15 security of this archive is such that a subscriber is able to append additional signature 
information to his own file but not to modify or delete existing information without 
leaving an adequate audit trail that permits system administrators to record and track 
such modifications. We remark that such precautions are not too different from those 
that must surround "specimen" signatures of the conventional variety. 

20 We allow the possibility that the public signature archive may also be the same 

one that contains public key infoi*mation for the'encryption system, but note that the two 
files have different functions and probably different legal status. The costs and 
frequencies of modifications and accesses may also have different structures and different 
administrative requirements, suggesting that separating these two publicly-accessible files 

25 is advisable. 

As background, we summarise the concept of a CRC (cyclic redundancy check) 
value for a message. CRC values are in common use as indicators of file and 
communications integrity, and various international standards (such as CCITT standards) 
exist. The CRC value of a message is a numerical value, typically either 16 or 32 bits 
30 long, computed from the message in such a way that any small change, distortion or error 
in the message text results in a completely different CRC value. The method of 
computation essentially involves the use of a shift register generator (implemented either 
in hardware or software) to divide a message polynomial (whose coefficients are just the 
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bits of the message) by a specific CRC generator polynomial. The CRC value represents 
the coefficients of the remainder modulo the CRC generator polynomial. In the case of 
the 32-bit CCITT standard, the generator polynomial is r 32 + x 26 + jc 23 + x 22 + x 16 + x lt 

+ x n + X 10 + + x 1 + JC 5 + X 4 + X* + X + 1. 
5 Our authentication method utilises the CRC concept. In particular, in the context 

of our example mixture (Geffe) generator, for any message M we can define C M = (Q^, 
Cm* Cmi>) ™ which each of the three components denotes the generator state resulting 
from dividing the message text by the corresponding generator polynomial p(x). We do 
not describe here the method for utilising the shift register itself to perform the division, 

10 since it is well-documented elsewhere. C M then represents a value that is essentially 
equivalent to the message itself, up to multiples of p(x). 

With this background, a method for secure authentication is as follows. Each 
participant in the communication system is assumed to possess exclusive knowledge of 
an authentication password P which is unique to that participant and which is registered 

15 with a public signature archive or other message authentication authority. The public 
signature archive or authentication authority possesses its own private key D s with its 
corresponding public key E s previously defined with reference to the public key 
cryptographic system that is the subject of this invention. When user B intends to sign 
a message M he is sending to user A, he calculates the generalised CRC value C M and 

20 forms a signature S M by appending to his authentication password P B , and then 
encrypting the pair (P^ Q^) usin£ the public ke£ E s of the public signature archive. He 
then appends the signature S M to the message. 

If the recipient of the message or a third party wishes to verify the authenticity of 

the signature S M , he computes the generalised CRC value c f u for the actual message and 

25 submits it, together with the signature S M and the name or other information identifying 
user B, to the public signature archive or authentication authority for authentication. The 
public signature archive or authentication authority decrypts the signature using its private 

key D s and compares the generalised CRC value included therein with the value of c£> 

and compares the included password with the authentication password registered for user 
30 B. If both of these match, the public signature archive validates the signature as an 
authentic signature of message M by user B. 

It can be seen from the foregoing that only the actual signer of the message can 
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generate the signature S M since doing so requires knowledge of both user B's 
authentication password and the generalised CRC value of the message. Any attempt to 
duplicate one valid signature in order to sign additional messages is fruitless, since the 
encrypted generalised CRC value matches the one of the message to which it 
5 corresponds. An advantage of this method is that it does not require additional 
information to be inserted into the public authentication archive each time a message is 
to be signed. 

An alternative preferred embodiment of the public-key authentication system will 
now be described. When user B intends to sign a message M he is sending to user A, 
10 he generates random numbers S^, S Mt and and calculates C M + S M and also 

V M = x s " mod p(x) for each component generator. User B then registers the pair (C M 

+ Sm> V m ) under his name in the public signature archive, and "signs" the message by 
appending Sm to the message header. If V m has already been registered in the public 
signature archive, user B repeats this process, computing a new S m and corresponding V m , 
15 until a unique V m is determined. (That is, one which has not been previously registered 
in the public signature archive.) 

In order to verify that the above process ensures an authentic "signature," observe 
first that anyone in possession of the message and able to inspect the public signature 

archive can compute the CRC value c' u for the actual message and add Sm in order to 

20 verify that the result matches the value posted in the public signature archive. It is also 

possible for anyone to compute v M = x s * mod p(x) and to verify that it also matches the 

value posted in the public signature archive. However, assuming that our underlying 
encryption process is adequately secure (as will be discussed later), it would have been 
impossible for anyone other than user B to determine a signature S M that meets these 
25 requirements. As is common in other approaches to authentication, the possibility of 
generating a spurious message with the same CRC value(s) can be forestalled by insisting 
on a specific message structure or protocol, although the fact that the present approach 
utilises three or more different polynomials makes it highly unlikely that such precautions 
are required. 

30 10. Multiplicative Congruential Generators as Component Generators 

So-called multiplicative congruential generators (MCGs), or Lehmer generators, 
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are widely used in computer systems as pseudorandom number generators. In the 
simplest variant of this type of generator, a sequence of numbers is generated using the 
relationship x n = cr^ (mod q), where q is a prime number and c is a constant integer 
between 2 and (q-1) chosen in such a way that c is a "primitive root of unity." The 
5 starting value or "seed" x 0 is selected arbitrarily. For example, q is sometimes chosen to 
be 2 31 - 1, which is a convenient Mersenne prime, and c might be chosen as the integer 
524287. The resulting sequence of integers between 1 and (q-1) has period (q-1), 
essentially being a permutation of all 31-bit integers except for the two whose binary 
representations are all zeroes or all ones. 

10 Although these sequences have the attractive properties of being quick and easy 

to compute and having reasonably long periods, they have long been known to have poor 
statistical properties when used as pseudorandom number generators (unless they are 
nonlinearly "shuffled") and D. Knuth has published a detailed analysis of their inadequacy 
as keystream generators in cryptography. However, these weaknesses do not necessarily 

15 impair their usefulness as component generators in mixture generators of the types we 
have described, which have a highly nonlinear structure. 

Assuming that an MCG is selected so that its modulus q is a Mersenne prime of 
the form 2 n - 1, the generator output comes in n-bit blocks. These can be viewed as a 
stream of bits starting with the low-order bit. "Clocking" or advancing an MCG a 

20 specified number of bits is accomplished by carrying out the appropriate number of 
integer exponentiations and multiplications motiulo q to obtain the necessary block and 
then selecting the correct bit position within the block. Thus, for this type of component 
generator, integer multiplication modulo 2 n -l replaces polynomial multiplication modulo 
p(x). This procedure carries with it the need to perform arithmetic on quite large 

25 integers, but methods exist to perform this arithmetic reasonably efficiently, particularly 
when q is a Mersenne prime. 

Using an MCG as the mixer generator can be accomplished either by utilising the 
binary state given by the contents of several fixed bit positions within the generator and 
discarding the rest (that is, clocking the MCG at a rate n times as fast as the generators 

30 whose outputs are being selected) or by using groups of successive bits in the MCG's bit 
stream output An example of the latter approach is analogous to the one shown in 
Figure 1, in which the MCG is used as a mixer to select among 8 other generators (whose 
structures are irrelevant here). The entire stream of bits coming from the MCG can be 
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used, three bits at a time, to accomplish the selection. 

11. Cryptographic Security 

We will discuss in general terms both the security level afforded by the 
5 transformation from private keys to public keys and the properties of the ciphertext 
resulting from a simple XOR combination of the generator keystream output with the 
plaintext 

In terms of a so-called "chosen plaintext attack" against the private key, the 
security level of the proposed system corresponds directly to the computational difficulty 

10 of discovering a private key when its corresponding public key is known and the attacker 
has full knowledge of the cryptographic system and is able to apply it to generate a public 
key corresponding to any chosen private key. Assuming a generator structure such as the 
one shown in Figure 2, the outputs of each of the 3 component MLSRGs can be viewed 
mathematically as elements of a finite field of order 2 P known as GF(2 P ). Since a 

15 different random initialisation key R is chosen for each message, the operation of 
advancing a generator in order to generate a public key corresponding to a given private 
key can be viewed as mathematically equivalent to exponentiation over GF(2 P ), and the 
inverse problem of finding the private key from the public key is mathematically 
equivalent to computing logarithms over GF(2 P ). The level of computational security of 

20 this part of the proposed system is therefore comparable to the difficulty of computing 
logarithms over GF(2 P ). Although in the late 1970 , s the best known algorithm for doing 

this required on the order of 2 2 operations, more recent progress in this field now 

indicates that using the best currently known method, only on the order of 2 c ^ jQ8 ^ p 

operations are required, where c is a "small" constant that has been empirically estimated 
25 as about 1.4 or IS. In the case when a (130,127) MLSRG is used, so that p = 127, a 
comparison of these two quantities shows the difference between an exponent of about 
63 in the first case as compared to about 26 or 27 in the second case. This means that 
computation of logarithms in GF(2 127 ), which would earlier have been effectively 
impossible, is now only moderately difficult, requiring only a few hours on a modern 
30 mainframe computer. In terms of the small example suggested earlier in this document, 
in which three MLSRGs of lengths 87, 89 and 127 were used in the Geffe configuration 
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shown in Figure 2, these figures imply that only a moderate level of computational 
security is obtained. 

In the larger example suggested, using the same Geffe generator configuration but 
with MLSRG lengths of 89, 127 and 521, the public key system proposed here can still 
5 be easily implemented on a personal computer, but the level of computational security 
is much higher. Considering only the longest generator, of length 521, the above figures 
indicate that the number of operations needed to compute logarithms over GF(2 521 ) 
would be on the order of about 2 50 using the best currently-known algorithm, which is 
believed to be near-optimal. Even assuming improvements of several orders of 

10 magni tude over present-day computers, the proposed public-key system will be 
computationally secure in these circumstances; that is, it will be infeasible to compute an 
unknown private key from all available information regardless of the computational 
resources brought to bear. Furthermore, still larger component generators can be used 
with only a modest increase in the computational effort required for encryption and 

15 decryption and without unduly burdening the public key file as a result of the additional 
key length, so that the security of the system can be increased to any desired level. 

Using multiplicative congruential generators instead of shift register generators 
tends to increase the computational difficulty of the discrete logarithm problem, and 
therefore to enhance the security of the encryption procedure. This is because the 

20 logarithms must be computed over a field GF(q) where q is a prime rather than over 
GF(2 p ), and the best currently known algorithfn for this case is less efficient, requiring 

on the order of 2 c,y/p *°* p operations when the modulus q is a Mersenne prime 2 P - 1. For 
example, this translates roughly into about 2 40 « 10 12 operations when p = 127, several 
thousand times greater than in the case of GF(2 P ). 

25 We now discuss the security of the system from the viewpoint of a "chosen 

plaintext" attack against the keystream generator and combining procedure described 
earlier. This type of attack is one in which a ciyptanalyst has access to all public keys 
and has available a complete cryptographic system, including direct access to the 
keystream generator (the mixture generator in this case) that he can use to generate 

30 corresponding pairs of plaintext-ciphertext messages. Hiis situation means that the 
ciyptanalyst can inspect any number of subsequences of any length he chooses from the 
keystream output, starting from any desired initial state of the generator. Note that the 
period length of a mixture generator is very long (approximately 2 303 even for the smaller 
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of the Geffe configurations discussed). 

By generating a large number of such portions of the keystream ("search 
fragments") and performing a sliding correlation between each of them and an unknown 
ciphertext, the ciyptanalyst might try to discover "overlaps" which could be detected by 
5 statistical analysis. The likelihood of detectable overlaps depends upon the lengths of 
messages and the speed at which the generator can be run, but probabilistic analysis 
shows that the likelihood of any overlaps at all is extremely small. For example, even 
assuming that the generator is capable of being clocked at 1000 gigabits per second (2 40 
bits per second), that the plaintext length averages one gigabit (2 30 bits) and that an 

10 overlap with a search fragment can be effectively detected instantaneously (i.e., in zero 
time) with a sliding correlator using search fragments only 2 10 bits (one kilobit) long, then 
in the case of the smaller Geffe-type generator the expected time for "finding" a 
partiailar ciphertext is on the order of 2 240 seconds! 

A probabilistic analysis also shows that, under the same assumptions, the 

15 probability of any overlaps at all for messages corresponding to randomly chosen 
initialisation keys is negligible, so that a "known plaintext" attack based on this approach 
(the so-called "common birthday" problem) is also futile. In addition, even if portions of 
the plaintext corresponding to an unknown ciphertext are assumed to be known (or can 
be guessed) by the ciyptanalyst, it is impossible to "extend" the keystream (in a manner 

20 analogous to the solution of a running key cipher) so as to solve for the remaining 
portions of the plaintext unlesi the length 6f such a known portion exceeds the 
"complexity" of the generator, which is 58193 bits even for the smaller of the Geffe 
generator configurations illustrated. Even this remote contingency can be addressed by 
limiting the maximum length of a plaintext to be enciphered under any single random 

25 initialisation key, segmenting longer messages when necessary, although the gain in 
security must be evaluated in the light of the consequent performance penalty. 

A simpler form of correlation attack in which the analyst attempts to discover 
correlations between the output keystream and component generators has been discussed 
in the mathematical literature but is ineffective in the present system because of the very 

30 long periods of the component generators and their excellent autocorrelation and cross- 
correlation properties. 
12. A Small Example 

Although it is useless for cryptographic purposes, for clarity we include a small 
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example to illustrate the operation of the proposed system. This example will use 
MLSRG components in a Geffe configuration as shown in Figure 2. The individual 
generators are shown in Figure 3. The stage numbers indicate the power of x 
corresponding to the given stage. 
5 The generator polynomials p(x) for these three generators are, respectively: 

1+jc + x 2 , 1+jc+jc 3 , 1 + x 3 + jc 5 
The entire output streams (i.e., full periods) of these three generators are: 
Mixer: 10 1 

Top: 10 0 10 11 

10 Bottom: 00100001011101100011111001101 
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Table 1 



Mixer 


Top 


Bottom 


State 1 x 


State 1 x x 2 


State 1jc*W 


0 1 10 


00 1 100 


00100 10000 


10 0 1 


10 0 0 10 


00010 01000 


11 11 


0 10 00 1 


00001 00100 




10 1 110 


10000 000 10 




110 Oil 


01000 00001 




111 111 


10100 10010 




Oil 101 


01010 01001 






10101 10110 | 






11010 01011 






11101 10111 






OHIO 11001 






10111 11110 






11011 01111 






01101 10101 






00110 11000 






0001 1 01 100 






1000 1 00 110 






1 1000 0001 1 






11100 10011 






11110 11011 






inn mil 






01111 11101 






00111 11100 






10011 OHIO 






11001 00111 






01100 10001 






10110 11010 






01011 01101 






00101 10100 






10010 01010 






01001 00101 
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Table 1 above shows the complete sequences of states for these generators, and 
the corresponding polynomial coefficients (that is, the state but with the stages 
renumbered to match the appropriate powers of x). We should emphasize, however, 
that the sizes of the generators involved would make computation of Table 1 
5 impossible in a practical sense and it is included here for illustrative purposes only. 
Sorting the columns of the table would effectively provide tables of logarithms modulo 
the generator polynomials. 

Here the initial states are given by: 



10 





'0> 


& 




0 


0 




1 






0 







15 Inspecting the stage numbers displayed in Figure 3 shows that each of these states 

M-i 

corresponds to the polynomial i = + J^Ojc'- 

J-i 

For each of the three component generators, the polynomial coefficients 
corresponding to binary powers of x are easily computed (modulo p(x)) as those given 
in Table 2 below. We again emphasize that the states corresponding to these powers 
20 are obtained simply by rotating (that is, renumbering) the bits appropriately. 

Table 2 



Power k 


Mixer x* 


Top** 


Bottom x* 




State 1 x 


State 1 x x 2 


State 1 x xVx 4 


2° - 1 


10 0 1 


100 0 10 


00010 01000 


1 2 1 = 2 


11 11 


0 10 0 0 1 


00001 00100 


2 2 = 4 




110 0 11 


01000 0000 1 


2 3 = 8 






11010 01011 


2 4 = 16 






10001 00 110 



30 If we choose a private key of D = (3, 6, 24), the corresponding public key is 
computed as follows, using Table 2 extensively: 

a) Since D m = 3 (11 in binary), we compute x? - x*x l by first loading the mixer 
generator with the state 1 1 corresponding to the polynomial jc 2 , then clocking it once 
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to multiply by x, resulting in the state 0 1. 
This gives e - | |- 



b) Since D t = 6 (110 in binary), we compute x 6 = x 4 jc* by first loading the top 
generator with the state 110 (polynomial coefficients Oil) corresponding to the 
5 polynomial x 4 then clocking it twice to multiply by x 2 , resulting in the state Oil. 



This gives E t = 



'0 X 
1 



c) Since D b = 24 (11000 in binary), we need to compute x 24 = x 16 ^. This is slightly 
more complex than the previous cases, since the second factor x 8 corresponds to a 
polynomial with more than one nonzero coefficient. We see from Table 2 that x 8 = 
10 0.1 + Ijc + Ox 2 + Ijc 3 + Ijc 4 (that is, polynomial coefficients 0 1 0 1 1), so that we 
must load the generator three times with the state 10 0 0 1 corresponding to x 16 , 
clocking it 1, 3 and 4 times respectively, to multiply by x, x 3 and x 4 since these are the 
powers of x that appear with nonzero coefficients inx 8 , and then adding corresponding 
coefficients modulo 2. These 3 resulting states are: 

11000, 11110, 11111 
and adding their corresponding coefficients modulo 2 gives a final state of 110 0 1. 

'1> 



15 



This gives E b 



1 

0 
0 



Now suppose that some other user wishes to send us a message by encrypting a 
plaintext of, say, the characters "AA", whose ASCII representation in binary is 
20 01000001 01000001. The sender first generates a random initialisation key R. 

Various means for accomplishing this are possible, for example utilising a noisy diode. 
We suppose that R has been generated here as R = (2, 3, 7). 

The sender's first task is to compute Q. This is done in the same fashion as 
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computing E from D, and makes use of Table 2 as before. 

d) Q m can be read directly from the x 2 line of the table as the state 1 1. 

5 e) We obtain Q, by computing x 3 = x 2 jc. The state of the top generator 
corresponding to x 2 is 0 1 0, and loading the generator with these contents and 
clocking it once to multiply by x results in the state 10 1. 



f) To compute Q b we use Table 2 to compute x 1 = x*jc 2 x for the bottom generator. 
10 The last two of these powers contain only a single nonzero coefficient each, so it is 
easy to load the bottom generator with 0 1 0 0 0 (the state corresponding to x 4 ), clock 
the generator two times, and finally clock it one more time. The resulting state is 1 0 
10 1. 

The message header will then contain Q as follows (it may well contain additional 



15 message-specific information)^ 



0 

l1j 



o 
1 

0 

l1j 



The next step is to calculate K. We do this by a similar exponentiation process, 
but this time raising polynomials corresponding to the components of the public key E 
to powers given by R- 

20 g) First Ka is obtained by raising the polynomial corresponding to En to the power 
Rn = 2. It happens in this example that E m corresponds to the zero-degree 

n-1 

polynomial 1 = 1 je° + £ 0jc j \ so that no work at all is required as, obviously, 1 

raised to any power is still 1. Thus is the same as En, and corresponds to the state 
0 1. This situation should never be expected to occur in practice. It has been caused 
25 by the choice of D m to be 3, equal to the period length of the mixer generator. This 
obviously poor choice for either D or R is simple to disallow when implementing 
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20 



the system. 



h) Next we raise E t to the power R t = 3. To compute this, we need to build a table 
similar to Table 2, but listing the binary powers of E t rather than of x. For purposes 

5 of this example, we only need to compute jf 2 , since e? = E*JZ t - Since Et is the state 

Oil, corresponding to the polynomial 1 + x 2 , we load the top generator with this 
state, clock it twice to obtain 10 0 and then add corresponding coefficients of these 

modulo 2 to get the state 111 corresponding to jj 2 . Then we use the generator 

again to multiply this by E t . We do this by loading the generator with 111, clocking 
10 it twice to obtain 0 0 1 and adding coefficients of these modulo 2 to finally obtain 1 1 
0 for Kj. 

i) To compute K,, we raise Et, to the power = 7. Again we need to build a table 
similar to Table 2 to obtain £ 4 and £ 2 , then compute e\ = E^£\.Ey We have Eb = 

15 1 1 0 0 1 = x 2 + x 3 + x 4 , so we get e\ as the modulo 2 sum of EbJt 2 = 10 110, 

Et,.* 3 = 01011 and E^ 4 = 00101 (obtained by clocking the generator), which 

yields 1 1 0 0 0, corresponding to x 3 + x 4 . Squaring this gives £ 4 as 1 0 0 0 0, 

eventually giving as 0 1 1 0 It * 
The state K will therefore be given by: 

'0> 
1 
1 



25 



j) The output streams from the 3 generators starting from these states will be: 

Mixer: 10 110110110110 1101... 

Top: 011100101110010111001... 

Bottom: 10 1 1 0001 1 1 1 100 1 10 10010000 10 10 1 1» 



30 
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k) The first 16 bits of the resulting (mixture) keystream will then be: 
0011001111100001 ... 

1) Computing the exclusive-OR of this stream with the plaintext will then yield the 
5 ciphertext: 

0111001010100000 

m) The decryption process begins with the computation of K by raising the 
components of Q to powers given by the private key D. This exponentiation process 
10 is completely analogous to the procedures already illustrated in steps g), h) and i) 



above. Briefly, we have K m « Q^ m = I, K* = Q?' = <?* = Q^Qf ^ these 



last two factors corresponding to the states 111 and 011, respectively, so that 



'l^ 
1 



Finally we can compute g = Q°" = = qI*.qI, calculating the latter 



two factors as corresponding to the respective states 11110 and 0 110 0. 



15 



This gives the result 



20 



1 
1 
0 



n) Since (as expected) the state K is the same as the one computed by the sender of 
the message, starting the mixture generator from this state produces the same 
keystream output as shown in steps j) and k) above, which can be XOR-ed with the 
25 ciphertext to recover the plaintext. 

13. Randomisation and Key Management Issues 

The present method involves a fairly high total number of key bits by comparison 
with existing systems. The U.S. Data Encryption Standard (DES), for example, 
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utilises 56 bits for the key, whereas the Geffe generators used as examples above 
involve 87+89+127 = 303 key bits or 89+ 127+521 = 737 key bits, equal to the sums 
of the lengths of the component generators. While these long keys provide high levels 
of security, their lengths are high enough to merit special key management techniques. 
5 First, all cryptographic keys are best selected randomly, rather than as easily- 
remembered or systematically generated patterns, to protect against the more naive 
forms of cryptanalytic attacks. Well-known hardware means exist for generating true 
random bit stre ams , such as noisy diodes. Another approach is to use biometric 
methods. Since microsecond-resolution timin g hardware is present on virtually all 

10 personal computers these days, an example of this is to record the time intervals 
between successive asynchronous human-generated events such as keystrokes. The 
low-order digits of the lengths of such intervals have acceptable randomness 
properties. In any case, it is important to attempt to select the random initialisation 
keys R in the present invention in as nearly as possible a truly random manner, since 

15 systematic or repeated use of such keys would severely compromise the security of the 
system. 

The present invention envisages the use of another biometric technique, with a 
multi-dimensional (for example a two-dimensional) computer input device such as a 
pen, a drawing pad, a mouse or other pointing device, or a touch screen. A user can 

20 be requested to draw or "scribble" a random pattern, whereupon various possible 
attributes of the generated pattern can be used to obtain adequately random input. 
For example, when a mouse is available the low-order bits of the numbers 
representing the mouse coordinates at specified times may be suitable. Alternatively, 
the speeds of the mouse at particular times, or the time intervals between particular 

25 types of mouse events, or spatial properties (such as curvature) of the parametric 
curve traced by the mouse may be used. 

In a preferred embodiment, a user can be requested to move a mouse pointer 
more or less randomly (that is, to "wave it" or "scribble" with it) within the area of a 
window displayed on a computer display screen for this purpose. The x and y 

30 coordinates of the positions of the mouse pointer sensed by the computer's operating 
environment at successive times can then be recorded as a succession of pairs of 16- 
bit binary numbers, until an adequate number of mouse movements has occurred. The 
first 25% and last 25%, for example, of these points can be discarded as being 
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possibly insufficiently random, and then the low-order 4 bits of all the remaining 16- 
bit coordinate values can be extracted and concatenated to form the desired random 
number. 

Care needs to be taken to ensure that quirks of the hardware and software do not 
5 distort or destroy randomness of the attributes being measured. For instance, in the 
Microsoft Windows operating environment, the timing resolution available for external 
events such as mouse or keyboard events is only 55 millis econds, so that inter-event 
timin gs may turn out to be very non-random. Also, attempts to intercept or interfere 
with system timing information or mouse event processing must be guarded against, 

10 since such intrusions could represent a serious security threat. 

While most pseudorandom number generators in common use on computer 
systems are not adequate for these needs, the keystream output of the mixture 
generators discussed in the present document have excellent randomness properties, 
and provide compromise approaches we discuss here. In particular, if a moderate 

15 number of the states in each component generator are initialised from a truly random 
source and the generator is then run (or advanced) for a brief time (say, 1000 clock 
cycles), the resulting final generator state will be statistically indistinguishable from a 
true random state. We refer to this process as "key hashing." The high complexity of 
the generators described here makes this a reasonable alternative to other means that 

20 have been suggested, such as the use of a DES chip or algorithm in so-called "counter" 
mode. 

The storage and management of cryptographic keys must be addressed, although 
a public-key system is inherently less dependent upon such factors for its security than 
conventional or private-key systems. If a private key is stored anywhere in a computer 

25 or data storage system, physical security becomes an important issue. In some 

applications, electromagnetic emissions of the ciyptographic equipment or computer 
must be considered. While compact storage is possible on portable media such as 
magnetic or optically-encoded cards, cost or other considerations may dictate that keys 
must either consist of or be able to be generated easily from data (for example, a 

30 password) which is to reside solely in human memory. Since conventional 

alphanumeric symbols provide only between 5 and 6 bits of information per character, 
and since typical passwords are limited to no more than 8 to 10 characters, no more 
than 50 to 60 key bits can be supplied in this manner. 
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The present invention envisages initialising a limited number of stages of the 
component generators of a mixture generator with key bits obtained from a password 
and then imitating the approach mentioned above, running or advancing the 
generators for a brief time to simulate a random key. Such a system may be 
5 vulnerable to cryptanalytic "key cluster" attacks or .the like, but by extending the 
number of clock cycles used in the initialisation or "hashing" phase and introducing 
nonlinearities like "stutter" (to inhibit rapid advancing of the generators and thus limit 
the rate at which trial keys can be generated) security can be enhanced. 

10 INDUSTRIAL APPLICABILITY 

The encryption system of the present invention has application in most areas 
where secure communications are required with the advantages which flow from a 
true public key system. Non-limiting examples include: 

(1) the secure transfer of personal or financial information, including credit card 

15 numbers or authorisations, over public networks such as the Internet, to eliminate the 
risk of theft or misuse of such information, 

(2) the transmission of secure voice communications over existing computer networks, 
including the Internet, or over public switched lines, to ensure the privacy of such 
communications. In this application, digitised and/or compressed voice data can be 

20 encrypted in real time without the need for prior contact or prearrangement of a 
secret "key", 

(3) ensuring the privacy of electronic mail or facsimile communications over either 
public switched lines or computer networks, including the Internet. 

25 ADVANTAGES 

• Known cryptanalytic difficulty 

The difficulty of successful ciyptanalysis of the present algorithms can be assessed 
in quantitative terms. It is possible to "tailor" this difficulty to any desired level by a 
straightforward choice of system parameters depending upon the intended field of 
30 application. 

• High speed 

Whether implemented in software or hardware, the present algorithms allow the 
following tasks to be accomplished as quickly as possible: 
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a) Generating a public key from an arbitrarily chosen private key 

b) Encryption of an arbitrary plaintext bit stream 

c) Decryption of an encrypted ciphertext. 

• High security 

5 The system is capable and provable of offering very high security, in terms of 
modern cryptographic standards and methods, against sophisticated modern 
cryptanalytic attacks. 

• Minimum length of ciphertext 

To prevent inefficiencies in transmission, the system produces ciphertext whose 
10 length is substantially equivalent to the length of the plaintext 

• Non-deterministic 

Even if the system is required to encrypt an identical plaintext more than once 
using the same public key, each resulting ciphertext differs from the others in a non- 
systematic way in order to deter compilation of a "codebook" and to foil other 
15 cryptanalytic attacks. 

• Simplicity and efficiency of implementation 

The essential computations required to implement the system are able to be 
accomplished either in hardware or software while making a minimum of demands on 
computational equipment. This facilitates implementation in embedded systems, 
20 custom or dedicated hardware or "smart cards," as well as in software running on 
widely available processors. 
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CLAIMS 

1. A public-key encryption system wherein a message sender encrypts a plaintext 
message P using a publicly known key unique to a message receiver and the message 
receiver decrypts the encrypted message using a secret private key from which the 
5 public key has been derived, characterised in thai: 

(1) a private key (D) is selected which comprises a plurality of binary numbers 

w l ton* 

(2) a public key (E) is computed by exponentiation (as hereinbefore defined) 
using the private key by, for each of the said numbers T> x ton , calculating the state of a 

10 pseudo-random binary number generator from a given and known initial state after a 
number of clock pulses or state transitions equal to the corresponding number given 
by the private key D x to n and providing each of the calculated binary states B x to n as a 
component of the public key E; 

(3) the message sender 

15 (a) generates a random initialisation key (R) comprising a set of binary 

numbers R x to n and computes by exponentiation an open key Q by, for each of the 
numbers R x to n , calculating the state of a pseudo-random binary number generator 
from a given and known initial state after a number of clock pulses or state transitions 
equal to the corresponding number given by the random initialisation key Rj to n and 

20 providing each of the calculated binary states O x to n as a component of the open key 
Q, 

(b) exponentiates the components of the public key E by the components 
of the random initialisation key R to produce generator initialisation states K x to n by, 
for each of the said numbers B lton and R x to n , calculating the state of a pseudo- 

25 random binary number generator that would result from applying the process defined 
in step (2) a number of times equal to the corresponding binary number R 2 to n , 

(c) loads a set (n) of pseudo-random binary number generators, the 
outputs of which are combined to form a first mixture generator, with initial values 

30 (d) clocks the first mixture generator to obtain a keystream serial output, 

(e) combines said keystream output with the binary plaintext message P to 
produce an encrypted bit stream ciphertext C, 

(f) adds the ciphertext C to the open key Q to produce a message stream, 
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(g) transmits the message to the message receiver; 
(4) the message receiver 

(a) extracts the open key Q from the message stream, 

(b) exponentiates the open key Q by the private key D to derive generator 
5 initialisation states K lton by, for each of the said numbers Q x to n and Dj to n , 

calculating the state of a pseudo-random binary number generator that would result 
from applying the process defined in step (3)(a) a number of times equal to the 
corresponding binary number D x to n , 

(c) loads a second set (n) of pseudo-random binary number generators, the 
10 outputs of which are combined to form a mixture generator, with the generator 

initialisation states K t to n , 

(d) clocks the mixture generator to obtain a keystream serial output and 
combines this output with the received encrypted bit stream to produce the sender's 
plaintext message. 

15 2. A public key encryption system according to claim 1 wherein said mixture 

generator comprises a set (n) of mammal period linear shift register generators, with 
one generator in the set arranged to select in a memoiyless fashion the outputs of the 
remaining (n - 1) members of the set to provide said keystream serial output when all 
generators are clocked. 

20 3. A public key encryption system according to claim 1 wherein generating said 
random initialisation key R comprises the stejfc: 

(1) manipulating an electronic pointer device whose state at any time t can be 
described as a point Xt represented by a plurality of coordinates (X^, X^ ...X^; 

(2) measuring the points X< describing the states of said input device at a 
25 plurality of time instants t = 1, 2, n; 

(3) selecting a subset of the points thus measured corresponding to a subset of 
said time instants; 

(4) computing a numerical function of the coordinates of all the points thus 
selected; 

30 (5) producing the desired random numbers as the plurality of binary digits 
which represent the value of the numerical function thus computed. 
4. A public key encryption system according to any one of claims 1 to 3 wherein 
combining said keystream with the binary plaintext P to produce said ciphertext C, 
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comprises the steps of, for each component of P, 

(1) generating a pseudorandom permutation T of the bytes 1, rij using a 
plurality of bytes of the serial keystream output; 

(2) permuting the relative positions of the bytes ^ within the part Pj according 
5 to the permutation T to form an intermediate part 1$ 

(3) forming the i-th part Q of the encrypted bit stream by for each byte B of 
the intermediate part 1$ 

(a) generating one or more bytes of the serial keystream output; and 

(b) replacing the byte B with a quantity that depends upon the byte B 
10 and the said generated byte or bytes of the serial keystream output 

5. A public key encryption system according to claim 4 including the steps of for 
each successive part Pj computing a cumulative current message digest value Dj for all 
parts of the binary information P from its beginning up to and including P 2 ; and 

obtaining and discarding a number of additional bytes of the serial keystream 
15 output, said number depending upon the current message digest value D { . 

6. Encryption apparatus for a public key encryption system in which a private key 

(D) is selected which comprises a plurality of binary numbers D x to n and a public key 

(E) is exponentiated using the private key by, for each of the said numbers D 2 to n , 
calculating the state of a pseudo-random binary number generator from a given initial 

20 state after a number of clock pulses or state transitions equal to the corresponding 
number given by the private key D x to n , and prt>viding each of the calculated binary 
states E x to n as a component of the public key E, said apparatus comprising: 

means for generating a random initialisation key (R) comprising a set of binary 
numbers R lton ; 

25 means for calculating by exponentiation an open key Q by, for each of the said 
numbers R x to n , calculating the state of a pseudo-random binary number generator 
from a given and known initial state after a number of clock pulses or state transitions 
equal to the corresponding number given by the random initialisation key Rj to „ and 
providing each of the calculated binary states Q t ton as a component of the open 

30 key Q; 

means for exponentiating the components of the public key E by the components 
of the random initialisation key R to produce generator initialisation states K t to D by, 
for each of the said numbers E x to a and R x to n , calculating the state of a pseudo- 
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random binary number generator that would result from applying the process used to 
exponentiate public key (E) a number of times equal to the corresponding binary 
number R lton ; 

a mixture generator comprising a set (n) of pseudo-random binary number 
5 generators, the outputs of which are combined to form the output of the mixture 
generator; 

means which load said set (n) of pseudo-random binary number generators with 
initial values equal to K t to n ; 

means which clock the mixture generator to obtain a keystream serial output; 
10 means which receive a plaintext message and combine the output of the mixture 
generator with the binary plaintext message to produce an encrypted bit stream; 

means for adding the ciphertext C to the open key Q to produce a message 
stream, and 

means for transmitting the message stream to the message receiver. 
15 7. Decryption apparatus for a public-key encryption system in which a private key 

(D) is selected which comprises a plurality of binary numbers D x to n and a public key 

(E) is exponentiated using the private key by, for each of the said numbers D t to n , 
calculating the state of a pseudo-random binary number generator from a given initial 
state after a number of clock pulses or state transitions equal to the corresponding 

20 number given by the private key D x to n , and providing each of the calculated binary 
states E x to n as a component of the public key E, and wherein a plaintext message is 
encrypted according to a process whereby the message sender 

(1) generates a random initialisation key (R) comprising a set of binary numbers 
to n and computes by exponentiation an open key Q by for each of the said numbers 

25 R 2 to n , calculating the state of a pseudo-random binary number generator from a given 
and known initial state after a number of clock pulses or state transitions equal to the 
corresponding number given by the random initialisation key R x to n and providing 
each of the calculated binary states Q x to n as a component of the open key Q; 

(2) exponentiates the components of the public key E by the components of the 
30 random initialisation key R to produce generator initialisation states K x to n by, for 

each of the said numbers Ej to n and R x to n , calculating the state of a pseudo-random 
binary number generator that would result from applying the process previously 
defined, wherein a private key is used to exponentiate a public key, a number of times 
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equal to the corresponding binary number K x to n ; 

(3) loads a set (n) of pseudo-random binary number generators, the outputs of 
which are combined to form a mixture generator, with initial values K x to n ; 

(4) clocks the mixture generator to obtain a keystream serial output and 

5 combines this output with the binary plaintext message to produce an encrypted bit 
stream ciphertext C, and 

(5) transmits the encrypted bit stream together with the open key Q to the 
message receiver, 

said decryption apparatus comprising: 
10 means for extracting the open key Q from the encrypted bit stream; 

means for exponentiating the components of the open key Q by the components 
of the private key D to derive generator initialisation states K lton by, for each of the 
said numbers Q Xton and D x to n , calculating the state of a pseudo-random binary 
number generator that would result from applying the process defined above for 
15 deriving the open key Q a number of times equal to the corresponding binary number 

a set (n) of pseudo-random binary number generators, the outputs of which are 
combined to form a mixture generator; 

means which load said set (n) of pseudo-random binary number generators with 
20 initial values equal to K 2 to n ; 

means for clocking the mixture generator*to obtain a keystream serial output; 

and means for combining this output with the received ciphertext C to produce 
the plaintext message P. 

8. A public-key authentication system wherein a message sender appends signature 
25 information to a message and registers corresponding authentication information 
together with his name in a signature archive that is open to public inspection and 
wherein a message verifier obtains the message and its signature information, and the 
authentication information from the public signature archive and uses these to confirm 
whether or not the message has been sent by the sender identified by said signature 
30 information, characterised in that: 
(1) the message sender 

(a) selects a random digital signature (S) consisting of a plurality of binary 
numbers Sj ton ; 
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(b) exponentiates a verification key V by, for each of said numbers S 2 to n , 
by calculating the state of a pseudo-random binary number generator from a given 
initial state after a number of clock pulses or state transitions equal to the 
corresponding number given by the random digital signature S t to n and providing each 

5 of the calculated binary states V x to n as a component of the verification key V; 

(c) checks said signature archive to ensure that the verification key V 
computed in (b) has not yet been registered and if V has previously been registered 
repeats steps (a) and (b); 

(d) computes a generalised cyclic redundancy check (CRC) value C by, for 
10 each one of a set (n) of pseudo-random binary number generators, computing the 

remainder resulting from dividing the sequence of bits comprising the message being 
sent by a modulus corresponding to said pseudo-random binary number generator and 
providing each such remainder Q to n as a component of the generalised CRC value C; 

(e) computes the sum C + S (modulo 2) and registers this sum and the 
15 verification key V under his name in the public signature archive; 

(f) appends S to the message being sent, and 
(2) the message verifier 

(a) extracts the digital signature (S) consisting of a plurality of binary 
numbers S lton from the message; 

20 (b) computes a generalised cyclic redundancy check (CRC) value C by, for 

each of the said numbers S x to n ,* computing thd remainder resulting from dividing the 
sequence of bits comprising the received message by a modulus corresponding to a 
pseudo-random binary number generator and providing each such remainder Q to n as 
a component of the generalised CRC value C; 

25 (c) computes a verification key V by, for each of said numbers S 1 to n , 

exponentiating a given initial state of the corresponding pseudo-random binary 
number generator using each said number S L to „ by means of the process defined in 
step (l)(b); 

(d) computes the sum C + S (modulo 2); 
30 (e) searches the public signature archive under the name of the sender 

identified by said signature information of the message for authentication information 
matching the values C + S (modulo 2) and V computed in (c) and (d); 

(f) validates the message as authentic if the search in (e) is successful, or 
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rejects it as spurious if the search in (e) is unsuccessful. 

9. A public-key authentication system wherein a message authenticator selects a 
private key D which comprises a plurality of binary numbers D lton and exponentiates 
a public key E using the private key by, for each of the said numbers D 2 to D , 
5 calculating the state of a pseudo-random binary number generator from a given initial 
state after a number of clock pulses or state transitions equal to the corresponding 
number given by the private key D x to n and providing each of the calculated binary 
states to n as a component of the public key E, and makes E available for public 
inspection, and wherein a message sender registers unique authentication information 

10 with said message authenticator and appends signature information to a message, and 
wherein a message verifier obtains the message, calculates a generalised CRC value 
for the message, submits the message signature information, the generalised CRC 
value and the sender's name or other identifying information to the message 
authenticator, and wherein said message authenticator uses said generalised CRC 

15 value, said message signature information and said registered authentication 
information to confirm whether or not the message has been sent by the sender 
identified by said authentication information, characterised in that: 
(1) the message sender 

(a) selects an authentication password (P) consisting of a plurality of 
20 binary numbers; 

(b) requests said signature authenticator to register the authentication 
password P to correspond to his name or other identifying information and to confirm 
that P has not yet been registered by anyone and if informed that P has previously 
been registered repeats step (a); 

25 (c) computes a generalised cyclic redundancy check (CRC) value C M by, 

for each one of a set (n) of pseudo-random binary number generators, computing the 
remainder resulting from dividing the sequence of bits comprising the message being 
sent by a modulus corresponding to said pseudo-random binary number generator and 
providing each such remainder Q ^ n as a component of the generalised CRC value 

30 C M ; 

(d) computes intermediate signature information by appending the 
generalised CRC value C M to the authentication password P; 

(e) computes message signature information S PM by encrypting the 
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intermediate signature information computed in step (d) using the signature 
authenticator's public key E by 

(i) selecting a random initialisation key (R) comprising a set of 
binary numbers K x to n and exponentiating the initial state using each number by, for 

5 each of the said numbers R a to n , calculating the state of pseudo-random binary 
number generator from a given initial state after a number of clock pulses or state 
transitions given by the random initialisation key R x to n and providing each of the 
calculated binary states Q 1 to n to produce an open key Q, 

(ii) exponentiating the components of the signature 

10 authenticator's public key E by the components of the random initialisation key R to 
produce generator initialisation states K 2 to n by, for each of the said numbers E 1 to n 
and Rj to n , calculating the state of a pseudo-random binary number generator that 
would result from applying the process previously defined, wherein a private key is 
used to exponentiate a public key, a number of times equal to the corresponding 

1 5 binary number R 2 to n , 

(iii) loading a set (n) of pseudo-random binary number 
generators, the outputs of which are combined to form a mixture generator, with 
initial values K x to n , 

(iv) clocking the mixture generator to obtain a keystream serial 
20 output and combining this output with said intermediate signature information to 

produce encrypted intermediate 'signature infofmation, 

(v) appending said encrypted intermediate signature information 
to said open key Q to produce message signature information S P>M , 

(f) appending the said message signature information Sp^ to the message 
25 and also appending his name or other identifying information to the message, 
(2) the message verifier 

(a) extracts the message signature information (S PtM ) and the sender's 
name or other identifying information from the message; 

(b) computes a generalised CRC value c* u f° r the message by means of 

30 the process defined in step (l)(c); 

(c) submits the said message signature information and the sender's name 

or other identifying information and the said generalised CRC value cL to the 
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signature authenticates and requests said signature authenticates to compare the 
authentication password P and generalised CRC value C M encrypted within the 

message signature information Sp^ with c* u and the sender's name or other 

identifying information, and 
5 (3) the message authenticator 

(a) decrypts the message signature information S FM using its private key D 

by 

(i) extracting the open key Q from the message signature 

information, 

10 (ii) exponentiating the open key Q by the private key D to derive 

generator initialisation states K x to n by, for each of the said numbers Q lton and D t to n , 
calculating the state of a pseudo-random binary number generator that would result 
from applying the process defined in step (l)(e)(i) a number of times equal to the 
corresponding binary number T} t to n , 

15 (iii) loading a second set (n) of pseudo-random binary number 

generators, the outputs of which are combined to form a mixture generator, with the 
generator initialisation states K x to n , 

(iv) clocking the mixture generator to obtain a keystream serial 
output and combining this output with the message signature information to thereby 

20 recover the intermediate signature information P and C computed in step (l)(d); 

(b) compares the value of P contained in said intermediate signature 
information with the authentication password registered as corresponding to the name 
or other identifying information submitted in step (2)(c); 

(c) compares the value of contained in said intermediate signature 

25 information with the value of c' M submitted in step (2)(c); 

(d) confirms to the message verifier that the message is authentic if both 
of the comparisons in steps (c) and (d) are successful, or rejects it as spurious if either 
comparison fails. 

10. A method for generating random numbers comprising the steps of: 
30 (1) manipulating an electronic pointer device whose state at any time t can be 
described as a point represented by a plurality of coordinates (X^, X^, —X^); 
(2) measuring the points X t describing the states of said input device at a 
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plurality of time instants t = 1, 2, n; 

(3) selecting a subset of the points thus measured corresponding to a subset of 
said time instants; 

(4) computing a numerical function of the coordinates of all the points thus 
5 selected; 

(5) producing the desired random numbers as the plurality of binary digits 
which represent the value of the numerical function thus computed. 

11. A method of combining a serial keystream output with binary information P, 
comprising a succession of parts P lf P N in which each part Pj represents a number 

10 of bytes i^, to produce an encrypted bit stream C comprising a succession of parts Q, 
said method comprising the steps of, for each successive part P 4 : 

(1) generating a pseudorandom permutation T of the bytes 1, using a 
plurality of bytes of the serial keystream output; 

(2) permuting the relative positions of the bytes ^ within the part Pj according 
15 to the permutation T to form an intermediate part 1^ 

(3) forming the i-th part Q of the encrypted bit stream by for each byte B of 
the intermediate part I/, 

(a) generating one or more bytes of the serial keystream output; and 

(b) replacing the byte B with a quantity that depends upon the byte B 
20 and the said generated byte or bytes of the serial keystream output. 

12. A method of combining a Serial keystreaiii with binary information according to 
claim 11 including the steps of for each successive part Pj computing a cumulative 
current message digest value Dj for all parts of the binary information P from its 
beginning up to and including P^ and 

25 obtaining and discarding a number of additional bytes of the serial keystream 
output, said number depending upon the current message digest value Dj. 

13. A method of comb ining a serial keystream output with an encrypted bit stream C 
comprising a succession of parts Q, C N , in which each part Q consists of a number 
of bytes n^ to recover binary information P containing by a succession of parts P if said 

30 method comprising the steps of for each successive part Q: 

(1) generating a pseudorandom permutation T of the numbers 1, ... r^ using a 
plurality of bytes of the serial keystream output; 

(2) forming an intermediate part 1+ by for each byte B of the part Q 
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generating one or more bytes of the serial keystream output; and 
replacing the byte B with a quantity that depends upon the byte B 



and the said generated byte or bytes of the serial keystream output; and 

(3) permuting the relative positions of the bytes within the intermediate part Ij 
5 according to the permutation T to form the i-th part Pj of said binary information. 

14. A method of combining a serial keystream with an encrypted bit stream according 
to claim 14 including the steps of for each successive part Pj computing a current 
message digest value Dj for all parts of the binary information P from its beginning up 
to and including T { ; and 

10 obtaining and discarding a number of additional bytes of the serial keystream 
output, said number depending upon the current message digest value Dj. 

15. A mixture generator suitable for use in a public key encryption system 
comprising: 

a set (n) of maximal period linear shift register generators, 
15 means for clocking said n generators, 

means for sequentially selecting the outputs of n - 1 of said generators to produce 
a mixed keystream, 

decoding means for decoding the outputs of a plurality of the last m stages of the 
nth generator, 

20 said decoder output controlling said selecting means in its selection of the 
particular generator output to use during eacif clock period. 

16. A mixture generator according to claim 15 wherein n = 3 and m = 1. 
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